Tembria Server Monitor Multiple Cross-site Scripting (XSS) Vulnerabilities Solutionary ID: SERT-VDN-1003 Solutionary Disclosure URL: http://www.solutionary.com/index/SERT/Vuln-Disclosures/Tembria-Server-Monitor-XSS.html CVE ID: Pending Product: Tembria Server Monitor Application Vendor: Tembria Vendor URL: http://www.tembria.com/products/servermonitor/index.html Date discovered: 1/22/2011 Discovered by: Rob Kraus, Jose Hernandez, and Solutionary Engineering Research Team (SERT) Vendor notification date: 1/25/2011 Vendor response date: 1/25/2011 Vendor acknowledgment date: 1/25/2011 Public disclosure date: 2/14/2011 Type of vulnerability: Cross-Site Scripting (XSS) - Reflected Exploit Vectors: Local and Remote Vulnerability Description: The Web application management interface of Server Monitor contains multiple injection points, which allow for execution of Cross-site Scripting (XSS) attacks. Arbitrary client side code such as JavaScript can be included into certain parameters throughout the Web application. The following parameters and Web pages have been tested and verified; however, it is likely more views and parameters within the application are vulnerable: event-history.asp (siteid, type) parameter admin-history.asp (siteid, type) parameters dashboard-view.asp (siteid, id) parameters device-events.asp (siteid, dn) parameters device-finder.asp (siteid, submit) parameters device-list.asp (siteid, action, sel) parameters device-monitors.asp (siteid, dn) parameters device-views.asp (siteid, type) parameters logbook.asp (siteid) parameter monitor-events.asp (siteid) parameter monitor-list.asp (siteid, action, sel) parameters monitor-views.asp (siteid, type) parameters reports-config-by-device.asp (siteid) parameter reports-config-by-monitor.asp (siteid) parameter reports-list.asp (siteid, sel) parameters reports-monitoring-queue.asp (siteid) parameter site-list.asp (action) parameter Tested on: Windows XP, SP3, with Tembria Server Monitor v6.0.4 - Build 2229 default installation. Affected software versions: Tembria Server Monitor v6.0.4 - Build 2229 (previous versions may also be vulnerable) Impact: Successful attacks could disclose sensitive information about the user, session, and application to the attacker, resulting in a loss of confidentiality. Using XSS, an attacker could insert malicious code into a web page and entice naïve users to execute the malicious code. Fixed in: Tembria Server Monitor v6.0.5 - Build 2252 Remediation guidelines: The vendor has created a fix for the vulnerabilities identified. Please update to version 6.0.5 - Build 2252 or newer.
