Exploit for php platform in category web applications
Netsweeper 4.0.4 - Multiple Vulnerabilities
+---------------------------------------------------+
+ Netsweeper 4.0.4 - Cross Site Scripting Injection +
+---------------------------------------------------+
Affected Product: Netsweeper
Vendor Homepage : www.netsweeper.com/
Version : 4.0.4 (and probably other versions)
Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
Patched : Yes
CVE : CVE-2014-9607, CVE-2014-9612, CVE-2014-9615
+---------------------+
+ Product Description +
+---------------------+
Netsweeper is a software solution specialized in content filtering.
+----------------------+
+ Exploitation Details +
+----------------------+
One parameters in Netsweeper 4.0.4 and 4.0.3 (and probably other versions) was identified being vulnerable to XSS injection attacks, details provided below.
URL Path: https://netsweeper/remotereporter/load_logfiles.php?server=018192&url=[XSS]
URL Path: http://netsweeper:8080/webadmin/deny/index.php?dpid=1&dpruleid=1&cat=1&ttl=5018400&groupname=<group_name_eg_netsweeper_student_allow_internet_access&policyname=auto_created&username=root&userip=127.0.0.1&connectionip=127.0.0.1&nsphostname=netsweeper&url=[XSS]
+----------------------------------+
+ Netsweeper 4.0.4 - SQL Injection +
+----------------------------------+
Once specific parameter in Netsweeper 3.0.6, 4.0.3 and 4.0.4 (and probably other versions) was identified being vulnerable to SQL injection attacks.
Condition: The exploitation can be performed by any non-authenticated user with access to the vulnerable pages (usually from everyone).
Vulnerable Page: http://netsweeper:8080/remotereporter/load_logfiles.php?server=<SQLi>&url=a
Vulnerable GET Parameter: server
+-------------------------------------------+
+ Netsweeper 4.0.4 - Information Disclosure +
+-------------------------------------------+
Any request that redirects to the deny page (eg client tries to access a blocked site) discloses information in the "username" and "nsphostname" fields.
URL Path: http://netsweeper:8080/webadmin/deny/index.php?dpid=1&dpruleid=1&cat=1&ttl=5018400&groupname=<netsweeper_student_allow_internet_access>&policyname=auto_created&username=<netsweeper_username>&userip=127.0.0.1&connectionip=<client_ip>&nsphostname=<fqdn_of_netsweeper>&url=www.secuid0.net
+----------+
+ Solution +
+----------+
Upgrade to latest version.
# 0day.today [2018-01-10] #