Details of VAR-200912-0282

ID

VAR-200912-0282

CVE

CVE-2009-4406

TITLE

APC Network Management Card web interface vulnerable to cross-site scripting and cross-site request forgery

Trust: 0.8

sources: CERT/CC: VU#166739

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Forms/login1 in American Power Conversion (APC) Switched Rack PDU AP7932 B2, running rpdu 3.3.3 or 3.7.0 on AOS 3.3.4, and possibly other versions, allows remote attackers to inject arbitrary web script or HTML via the login_username parameter. The web management interface for the APC Network Monitoring Card (NMC) used in various APC devices contains cross-site scripting (XSS) and cross-site request forgery (CSRF/XSRF) vulnerabilities. By convincing a victim to load a specially crafted URL while authenticated to an NMC, an attacker could obtain credentials or perform certain actions as the victim, including turning off the NMC-based device and any systems attached to it. An attacker can exploit the cross-site request forgery issues to alter the settings on affected devices, which may lead to further network-based attacks. The attacker can exploit the cross-site scripting issues to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible. Versions prior to the following are vulnerable: Network Management Card Firmware 3.7.2 Network Management Card Firmware 5.1.1. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. 1) Input passed to various parameters (e.g. the "login_username" parameter in Forms/login1) is not properly sanitised before being returned to the user. 2) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. create administrative users by tricking a logged-in administrative user into visiting a malicious web site. Vulnerability #1 is reported in APC AP7932 Switched Rack PDU version 3.3.4 with application module version 3.7.0. Other APC NMC products and versions may also be affected. SOLUTION: Filter malicious characters and character sequences using a proxy. Do not browse untrusted websites and do not follow untrusted links. Apply updated firmware versions when available. Contact the vendor for additional details. PROVIDED AND/OR DISCOVERED BY: Russ McRee, HolisticInfoSec. Vulnerability #1 also independently discovered by Jamal Pecou. ORIGINAL ADVISORY: HolisticInfoSec: http://holisticinfosec.org/content/view/111/45/ APC: http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887&p_created=1261587018&p_topview=1 Jamal Pecou: http://archives.neohapsis.com/archives/bugtraq/current/0219.html OTHER REFERENCES: US-CERT VU#166739: http://www.kb.cert.org/vuls/id/166739 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.79

sources: NVD: CVE-2009-4406 // CERT/CC: VU#166739 // JVNDB: JVNDB-2009-002514 // BID: 37338 // VULHUB: VHN-41852 // PACKETSTORM: 84238

AFFECTED PRODUCTS

vendor:	apc	model:	ap7932 b2	scope:	eq	version:	3.7.0	Trust: 1.6
vendor:	apc	model:	ap7932 b2	scope:	eq	version:	3.3.3	Trust: 1.6
vendor:	apc	model:	ap7932 b2	scope:	eq	version:	*	Trust: 1.0
vendor:	american power conversion corp	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric former name	model:	aos	scope:	eq	version:	3.3.4	Trust: 0.8
vendor:	schneider electric former name	model:	apc switched rack pdu	scope:	eq	version:	ap7932 b2	Trust: 0.8
vendor:	apc	model:	switched rack pdu ap7932	scope:	-	version:	-	Trust: 0.3
vendor:	apc	model:	network management card	scope:	eq	version:	0	Trust: 0.3
vendor:	apc	model:	network management card	scope:	ne	version:	5.1.1	Trust: 0.3
vendor:	apc	model:	network management card	scope:	ne	version:	3.7.2	Trust: 0.3

sources: CERT/CC: VU#166739 // BID: 37338 // JVNDB: JVNDB-2009-002514 // CNNVD: CNNVD-200912-337 // NVD: CVE-2009-4406

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2009-4406
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2009-4406
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200912-337
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-41852
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2009-4406
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-41852
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-41852 // JVNDB: JVNDB-2009-002514 // CNNVD: CNNVD-200912-337 // NVD: CVE-2009-4406

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-41852 // JVNDB: JVNDB-2009-002514 // NVD: CVE-2009-4406

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200912-337

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-200912-337

CONFIGURATIONS

sources: JVNDB: JVNDB-2009-002514

PATCH

title:

Top Page

url:

http://www.apc.com/index.cfm

Trust: 0.8

sources: JVNDB: JVNDB-2009-002514

EXTERNAL IDS

db:	BID	id:	37338	Trust: 3.6
db:	NVD	id:	CVE-2009-4406	Trust: 2.8
db:	SECTRACK	id:	1023331	Trust: 2.5
db:	CERT/CC	id:	VU#166739	Trust: 2.0
db:	XF	id:	54824	Trust: 1.4
db:	JVNDB	id:	JVNDB-2009-002514	Trust: 0.8
db:	CNNVD	id:	CNNVD-200912-337	Trust: 0.7
db:	BUGTRAQ	id:	20091214 APC SWITCHED RACK PDU XSS VULNERABILITY	Trust: 0.6
db:	XF	id:	7932	Trust: 0.6
db:	SECUNIA	id:	37744	Trust: 0.2
db:	VULHUB	id:	VHN-41852	Trust: 0.1
db:	PACKETSTORM	id:	84238	Trust: 0.1

sources: CERT/CC: VU#166739 // VULHUB: VHN-41852 // BID: 37338 // JVNDB: JVNDB-2009-002514 // PACKETSTORM: 84238 // CNNVD: CNNVD-200912-337 // NVD: CVE-2009-4406

REFERENCES

url:	http://www.securityfocus.com/bid/37338	Trust: 2.5
url:	http://www.securitytracker.com/id?1023331	Trust: 2.5
url:	http://www.securityfocus.com/archive/1/508468/100/0/threaded	Trust: 1.9
url:	http://www.packetstormsecurity.org/0912-exploits/apc-xss.txt	Trust: 1.7
url:	http://xforce.iss.net/xforce/xfdb/54824	Trust: 1.4
url:	http://holisticinfosec.org/content/view/111/45/	Trust: 1.2
url:	http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887&p_created=1261587018&p_topview=1	Trust: 1.2
url:	http://www.kb.cert.org/vuls/id/166739	Trust: 1.2
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/54824	Trust: 1.1
url:	http://www.securityfocus.com/archive/1/508468/30/60/threaded	Trust: 0.8
url:	http://www.securityfocus.com/bid/37338/info	Trust: 0.8
url:	http://www.apcmedia.com/salestools/pmar-82bmh5_r0_en.zip	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-4406	Trust: 0.8
url:	http://jvn.jp/cert/jvnvu166739/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-4406	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/archive/1/508468/100/0/threaded	Trust: 0.6
url:	http://www.apc.com	Trust: 0.3
url:	http://secunia.com/advisories/37744/	Trust: 0.1
url:	http://archives.neohapsis.com/archives/bugtraq/current/0219.html	Trust: 0.1
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1
url:	http://secunia.com/advisories/business_solutions/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1

sources: CERT/CC: VU#166739 // VULHUB: VHN-41852 // BID: 37338 // JVNDB: JVNDB-2009-002514 // PACKETSTORM: 84238 // CNNVD: CNNVD-200912-337 // NVD: CVE-2009-4406

CREDITS

Jamal Pecou, Russ McRee

Trust: 0.9

sources: BID: 37338 // CNNVD: CNNVD-200912-337

SOURCES

db:	CERT/CC	id:	VU#166739
db:	VULHUB	id:	VHN-41852
db:	BID	id:	37338
db:	JVNDB	id:	JVNDB-2009-002514
db:	PACKETSTORM	id:	84238
db:	CNNVD	id:	CNNVD-200912-337
db:	NVD	id:	CVE-2009-4406

LAST UPDATE DATE

2025-04-10T23:13:54.568000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#166739	date:	2010-04-29T00:00:00
db:	VULHUB	id:	VHN-41852	date:	2018-10-10T00:00:00
db:	BID	id:	37338	date:	2010-02-25T17:41:00
db:	JVNDB	id:	JVNDB-2009-002514	date:	2010-03-12T00:00:00
db:	CNNVD	id:	CNNVD-200912-337	date:	2009-12-24T00:00:00
db:	NVD	id:	CVE-2009-4406	date:	2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#166739	date:	2010-02-25T00:00:00
db:	VULHUB	id:	VHN-41852	date:	2009-12-23T00:00:00
db:	BID	id:	37338	date:	2009-12-15T00:00:00
db:	JVNDB	id:	JVNDB-2009-002514	date:	2010-03-12T00:00:00
db:	PACKETSTORM	id:	84238	date:	2009-12-29T10:24:08
db:	CNNVD	id:	CNNVD-200912-337	date:	2009-12-23T00:00:00
db:	NVD	id:	CVE-2009-4406	date:	2009-12-23T21:30:00.233