VARIoT IoT vulnerabilities database

Cross-site scripting (XSS) vulnerability in login_error.shtml for D-Link DSA-3100 allows remote attackers to inject arbitrary HTML or web script via an encoded uname parameter. D-Link DSA-3100 has a cross-site scripting vulnerability in login_error.shtml. This issue is due to a failure to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. TITLE: Elite-Board "search" Parameter Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA20289 VERIFY ADVISORY: http://secunia.com/advisories/20289/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: Elite-Board 1.x http://secunia.com/product/10164/ DESCRIPTION: luny has reported a vulnerability in Elite-Board, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "search" parameter in search.html during searches is not properly sanitised before being returned to users. The vulnerability has been reported in version 1.1. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: luny ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . SOLUTION: Do not visit other web sites while accessing the gateway

Unspecified vulnerability in the VPN Client for Windows Graphical User Interface (GUI) (aka the VPN client dialer) in Cisco VPN Client for Windows 4.8.00.* and earlier, except for 4.7.00.0533, allows local authenticated, interactive users to gain privileges, possibly due to privileges of dialog boxes, aka bug ID CSCsd79265. Cisco VPN Client is susceptible to a local privilege-escalation vulnerability. This issue is due to an unspecified flaw in the VPN client GUI application. This issue allows local attackers to gain Local System privileges on affected computers. This facilitates the complete compromise of affected computers. This vulnerability affects Cisco VPN Clients on Microsoft Windows. Versions prior to 4.8.01.x, with the exception of version 4.7.00.0533, are affected. There is a loophole in the implementation of the Cisco VPN client, and local attackers may use this loophole to elevate their own access rights. A user must be able to authenticate and start an interactive Windows session to exploit this vulnerability. Successful exploitation of this vulnerability could allow a normal user or an attacker to take complete control of the system, circumventing any controls placed by the Windows system administrator. The vulnerability has been reported in versions 2.x, 3.x, 4.0.x, 4.6.x, 4.7.x (except version 4.7.00.0533), and 4.8.00.x for Windows. SOLUTION: Update to version 4.8.01.0300. http://www.cisco.com/pcgi-bin/tablebuild.pl/windows PROVIDED AND/OR DISCOVERED BY: The vendor credits: * Andrew Christensen, FortConsult. * Johan Ronkainen ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060524-vpnclient.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in Symantec Antivirus 10.1 and Client Security 3.1 allows remote attackers to execute arbitrary code via unknown attack vectors. Symantec products are vulnerable to a stack-based buffer overflow. Symantec AntiVirus Corporate Edition 10.1 and Symantec Client Security 3.1 are currently known to be vulnerable to this issue. All supported platforms are affected including Microsoft Windows and Novell Netware. Symantec AntiVirus is a very popular antivirus solution. The remote management protocol used by the affected products for communication is a proprietary message-based protocol with two levels of encapsulation. The outer layer consists of message headers, which may be message type 10, which means requesting Rtvscan.exe, or type 20 or 30, which means forwarding SSL negotiation. If SSL is created for a TCP connection, subsequent communication is encrypted, although there is still plaintext in the private format. The data of the type 10 message contains its own header and message body, both of which are processed by Rtvscan.exe. There is a command field in this header, which specifies the operation to be performed and the format of the message body data. COM_FORWARD_LOG (0x24) The command handler does not use strncat correctly, allowing to overwrite the 0x180 byte stack buffer with arbitrary data. If the first string in the COM_FORWARD_LOG request contains a backslash, one of two strncat calls is performed: * If the string contains commas but no double quotes: strncat(dest, src, 0x17A - strlen(src )); * Otherwise: strncat(dest, src, 0x17C - strlen(src)); If the length of the source string exceeds 0x17A or 0x17C characters respectively, the arithmetic will underflow, resulting in a large memory copy size. This might allow appending this source string to the buffer, overwriting the stack with 64KB of data (null characters excluded). Rtvscan.exe is compiled with the Visual Studio /GS security option and includes stack canary checks. But an attacker can bypass this security measure by overriding and controlling the exception handler registration. SOLUTION: Apply patches (see patch matrix in vendor advisory). PROVIDED AND/OR DISCOVERED BY: eEye Digital Security ORIGINAL ADVISORY: Symantec: http://securityresponse.symantec.com/avcenter/security/Content/2006.05.25.html eEye Digital Security: http://www.eeye.com/html/research/upcoming/20060524.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Edimax BR-6104K router allows remote attackers to bypass access restrictions and conduct unauthorized operations via a UPnP request with a modified InternalClient parameter (possibly within NewInternalClient), which is not validated, as demonstrated by using AddPortMapping to forward arbitrary traffic. For example, use AddPortMapping to forward arbitrary traffic. Br 6104K is prone to a security bypass vulnerability. TITLE: Edimax BR-6104K UPnP Shell Command Injection Vulnerability SECUNIA ADVISORY ID: SA20169 VERIFY ADVISORY: http://secunia.com/advisories/20169/ CRITICAL: Moderately critical IMPACT: DoS, System access WHERE: >From local network OPERATING SYSTEM: EDIMAX BR-6104K Broadband Router http://secunia.com/product/10080/ DESCRIPTION: Armijn Hemel has reported a vulnerability in Edimax BR-6104K, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable device. The vulnerability is caused due to missing authentication of UPnP AddPortMapping requests and missing validation of the NewInternalClient parameter of the request. This can be exploited by hosts on the local network to execute shell commands e.g. "/sbin/reboot" on the device via specially crafted UPnP AddPortMapping requests containing shell commands in the NewInternalClient parameter. SOLUTION: Disable the UPnP functionality if it is not required. UPnP is reportedly disabled by default. PROVIDED AND/OR DISCOVERED BY: Armijn Hemel ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Linksys WRT54G Wireless-G Broadband Router allows remote attackers to bypass access restrictions and conduct unauthorized operations via a UPnP request with a modified InternalClient parameter, which is not validated, as demonstrated by using AddPortMapping to forward arbitrary traffic. For example, use AddPortMapping to forward arbitrary traffic. WRT54G v4.0 is prone to a security bypass vulnerability. TITLE: Linksys WRT54G UPnP Port Mapping Vulnerability SECUNIA ADVISORY ID: SA20161 VERIFY ADVISORY: http://secunia.com/advisories/20161/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From local network OPERATING SYSTEM: Linksys WRT54G Wireless-G Broadband Router http://secunia.com/product/3523/ DESCRIPTION: Armijn Hemel has reported a vulnerability in Linksys WRT54G, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to missing authentication of UPnP AddPortMapping requests and missing validation of the InternalClient parameter of the request. This can be exploited by hosts on the local network to configure port forwarding settings on the device to forward incoming traffic to arbitrary hosts without requiring authentication. Successful exploitation may allow the device to be configured to forward traffic that is received on specific ports on the external interface to another host on the Internet. SOLUTION: Update to firmware version 1.00.9. http://www.linksys.com/servlet/Satellite?c=L_Download_C2&childpagename=US%2FLayout&cid=1115417109974&packedargs=sku%3D1127782957298&pagename=Linksys%2FCommon%2FVisitorWrapper PROVIDED AND/OR DISCOVERED BY: Armijn Hemel ORIGINAL ADVISORY: http://www.securityview.org/how-does-the-upnp-flaw-works.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Sitecom WL-153 router firmware before 1.38 allows remote attackers to bypass access restrictions and conduct unauthorized operations via a UPnP request with a modified InternalClient parameter, which is not validated, as demonstrated by using AddPortMapping to forward arbitrary traffic. For example, use AddPortMapping to forward arbitrary traffic. Wl-153 is prone to a security bypass vulnerability. TITLE: Sitecom WL-153 UPnP Shell Command Injection Vulnerability SECUNIA ADVISORY ID: SA20183 VERIFY ADVISORY: http://secunia.com/advisories/20183/ CRITICAL: Moderately critical IMPACT: DoS, System access WHERE: >From local network OPERATING SYSTEM: Sitecom WL-153 MIMO XR Wireless Network Broadband Router http://secunia.com/product/10081/ DESCRIPTION: Armijn Hemel has reported a vulnerability in Sitecom WL-153, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable device. The vulnerability is related to: SA20169 The vulnerability has been reported in firmware versions prior to 1.38. SOLUTION: Disable the UPnP functionality if it is not required. The vendor reportedly will release an updated firmware soon. PROVIDED AND/OR DISCOVERED BY: Armijn Hemel OTHER REFERENCES: SA20169: http://secunia.com/advisories/20169/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

ZyXEL P-335WT router allows remote attackers to bypass access restrictions and conduct unauthorized operations via a UPnP request with a modified InternalClient parameter, which is not validated, as demonstrated by using AddPortMapping to forward arbitrary traffic. For example, use AddPortMapping to forward arbitrary traffic. P-335Wt Router is prone to a security bypass vulnerability. TITLE: ZyXEL P-335WT UPnP Port Mapping Vulnerability SECUNIA ADVISORY ID: SA20184 VERIFY ADVISORY: http://secunia.com/advisories/20184/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From local network OPERATING SYSTEM: ZyXEL P-335WT http://secunia.com/product/10055/ DESCRIPTION: Armijn Hemel has reported a vulnerability in ZyXEL P-335WT, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is related to: SA20161 SOLUTION: Disable the UPnP functionality if it is not required. UPnP is reportedly disabled by default. PROVIDED AND/OR DISCOVERED BY: Armijn Hemel OTHER REFERENCES: SA20161: http://secunia.com/advisories/20161/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Xcode Tools before 2.3 for Mac OS X 10.4, when running the WebObjects plugin, allows remote attackers to access or modify WebObjects projects through a network service. Xcode Tools is prone to an unauthorized remote access vulnerability through the WebObjects plug-in. A remote attacker can exploit this issue to manipulate projects through the network service. This issue affects only those systems with the Xcode Tools WebObjects plug-in installed. TITLE: Apple Xcode WebObjects Plugin Access Control Vulnerability SECUNIA ADVISORY ID: SA20267 VERIFY ADVISORY: http://secunia.com/advisories/20267/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From local network SOFTWARE: Apple Xcode 2.x http://secunia.com/product/10144/ DESCRIPTION: A vulnerability has been reported in Apple Xcode, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability has been reported in versions prior to 2.3. SOLUTION: Update to version 2.3. http://developer.apple.com/tools/download/ PROVIDED AND/OR DISCOVERED BY: The vendor credits Mike Schrag of mDimension Technology. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=303794 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Ipswitch WhatsUp Professional 2006 only verifies the user's identity via HTTP headers, which allows remote attackers to spoof being a trusted console and bypass authentication by setting HTTP User-Agent header to "Ipswitch/1.0" and the User-Application header to "NmConsole". Ipswitch WhatsUp Professional 2006 is susceptible to a remote authentication-bypass vulnerability. This issue allows remote attackers to gain administrative access to the web-based administrative interface of the application. This will aid them in further network attacks. Whatsup Professional software is a tool developed by Ipswitch to monitor the network status of TCP/IP, NetBEUI and IPX. What\'\'s Up Professional 2006 has an authentication bypass vulnerability, an attacker can bypass the authentication mechanism and log in without credentials. An attacker can trick the application into believing that the request is coming from the console, which is trusted, by sending HTTP requests with specially crafted headers

Multiple cross-site scripting (XSS) vulnerabilities in Mobotix IP Network Cameras M1 1.9.4.7 and M10 2.0.5.2, and other versions before 2.2.3.18 for M10/D10 and 3.0.3.31 for M22, allow remote attackers to inject arbitrary web script or HTML via URL-encoded values in (1) the query string to help/help, (2) the get_image_info_abspath parameter to control/eventplayer, and (3) the source_ip parameter to events.tar. The Mobotix IP camera is prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure in the device to properly sanitize user-supplied input. An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. A remote attacker can inject arbitrary web scripts or HTML. Some input isn't properly sanitised before being returned to the user. Examples: http://[host]/help/help?%3CBODY%20ONLOAD=[code]%3E http://[host]/control/events.tar?source_ip=%3CBODY%20ONLOAD=[code]%3E&download=egal http://[host]/control/eventplayer?get_image_info_abspath=%3CBODY%20ONLOAD=[code]%3E The vulnerabilities have been reported in version 2.0.5.2 for the M10 series and in version 1.9.4.7 for the M1 series. Other versions may also be affected. SOLUTION: Filter malicious characters and character sequences in a proxy server or firewall with URL filtering capabilities. PROVIDED AND/OR DISCOVERED BY: Jaime Blasco ORIGINAL ADVISORY: http://www.eazel.es/media/advisory001.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SQL injection vulnerability in Hitachi EUR Professional Edition, EUR Viewer, EUR Print Service, and EUR Print Service for ILF allows remote authenticated users to execute arbitrary SQL commands via unknown attack vectors. Hitachi EUR is prone to an SQL-injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query. A successful attack could allow an attacker to compromise the application, access or modify data, gain administrative access to the application, or exploit vulnerabilities in the underlying database implementation. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability has been reported in the following products: * EUR Professional Edition version 05-00 through 05-06 (Windows). * EUR Viewer version 05-00 through 05-06 (Windows). (Windows). (Linux/AIX/HP-UX/Solaris). Contact the vendor to obtain the fixed versions. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.hitachi-support.com/security_e/vuls_e/HS06-010_e/index-e.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in IPswitch WhatsUp Professional 2006 and WhatsUp Professional 2006 Premium allow remote attackers to inject arbitrary web script or HTML via unknown vectors in (1) NmConsole/Tools.asp and (2) NmConsole/DeviceSelection.asp. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 1) Input passed to NmConsole/Navigation.asp and to the "sHostname" parameter in NmConsole/ToolResults.asp is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. Example: http://[host]:8022/NmConsole/Navigation.asp?">[code] 2) Input passed to NmConsole/Tools.asp and NmConsole/DeviceSelection.asp is also not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. 3) It's possible to disclose monitored devices without being logged in by passing arbitrary values to the "nDeviceGroupID" parameter in "NmConsole/utility/RenderMap.asp". Example: http://[host]:8022/NmConsole/utility/RenderMap.asp?nDeviceGroupID=2 4) Input passed to the "sRedirectUrl" and "sCancelURL" in NmConsole/DeviceSelection.asp is not properly verified, which makes it possible to redirect a user to an arbitrary web site. It is also possible to disclose the source code of the ASP pages by appending a period to the end of the file extension. 5) Different error messages are returned during login to "NmConsole/Login.asp" depending on whether the supplied username or password is incorrect. 6) It is possible to disclose path information in 404 error messages returned by the service. Example: http://[host]:8022/NmConsole The vulnerabilities and weaknesses have been confirmed in WhatsUp Professional 2006. SOLUTION: Restrict access to port 8022/tcp and don't visit other web sites while logged in. PROVIDED AND/OR DISCOVERED BY: 1, 3, 4) David Maciejak 2, 5, 6) Reported by an anonymous person. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

NmConsole/DeviceSelection.asp in Ipswitch WhatsUp Professional 2006 and WhatsUp Professional 2006 Premium allows remote attackers to redirect users to other websites via the (1) sCancelURL and possibly (2) sRedirectUrl parameters. TITLE: WhatsUp Professional Cross-Site Scripting and Information Disclosure SECUNIA ADVISORY ID: SA20075 VERIFY ADVISORY: http://secunia.com/advisories/20075/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: Ipswitch WhatsUp Professional 2006 http://secunia.com/product/9917/ Ipswitch WhatsUp Professional 2006 Premium http://secunia.com/product/9918/ DESCRIPTION: Some vulnerabilities and weaknesses have been discovered in WhatsUp Professional, which can be exploited by malicious people to gain knowledge of certain information or conduct cross-site scripting attacks. 1) Input passed to NmConsole/Navigation.asp and to the "sHostname" parameter in NmConsole/ToolResults.asp is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. Example: http://[host]:8022/NmConsole/Navigation.asp?">[code] 2) Input passed to NmConsole/Tools.asp and NmConsole/DeviceSelection.asp is also not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. 3) It's possible to disclose monitored devices without being logged in by passing arbitrary values to the "nDeviceGroupID" parameter in "NmConsole/utility/RenderMap.asp". Example: http://[host]:8022/NmConsole/utility/RenderMap.asp?nDeviceGroupID=2 4) Input passed to the "sRedirectUrl" and "sCancelURL" in NmConsole/DeviceSelection.asp is not properly verified, which makes it possible to redirect a user to an arbitrary web site. It is also possible to disclose the source code of the ASP pages by appending a period to the end of the file extension. 5) Different error messages are returned during login to "NmConsole/Login.asp" depending on whether the supplied username or password is incorrect. 6) It is possible to disclose path information in 404 error messages returned by the service. SOLUTION: Restrict access to port 8022/tcp and don't visit other web sites while logged in. PROVIDED AND/OR DISCOVERED BY: 1, 3, 4) David Maciejak 2, 5, 6) Reported by an anonymous person. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

NmConsole/Login.asp in Ipswitch WhatsUp Professional 2006 and Ipswitch WhatsUp Professional 2006 Premium generates different error messages in a way that allows remote attackers to enumerate valid usernames. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. WhatsUp Professional 2005 is prone to a remote security vulnerability. TITLE: WhatsUp Professional Cross-Site Scripting and Information Disclosure SECUNIA ADVISORY ID: SA20075 VERIFY ADVISORY: http://secunia.com/advisories/20075/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: Ipswitch WhatsUp Professional 2006 http://secunia.com/product/9917/ Ipswitch WhatsUp Professional 2006 Premium http://secunia.com/product/9918/ DESCRIPTION: Some vulnerabilities and weaknesses have been discovered in WhatsUp Professional, which can be exploited by malicious people to gain knowledge of certain information or conduct cross-site scripting attacks. 1) Input passed to NmConsole/Navigation.asp and to the "sHostname" parameter in NmConsole/ToolResults.asp is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. Example: http://[host]:8022/NmConsole/Navigation.asp?">[code] 2) Input passed to NmConsole/Tools.asp and NmConsole/DeviceSelection.asp is also not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. 3) It's possible to disclose monitored devices without being logged in by passing arbitrary values to the "nDeviceGroupID" parameter in "NmConsole/utility/RenderMap.asp". Example: http://[host]:8022/NmConsole/utility/RenderMap.asp?nDeviceGroupID=2 4) Input passed to the "sRedirectUrl" and "sCancelURL" in NmConsole/DeviceSelection.asp is not properly verified, which makes it possible to redirect a user to an arbitrary web site. It is also possible to disclose the source code of the ASP pages by appending a period to the end of the file extension. 5) Different error messages are returned during login to "NmConsole/Login.asp" depending on whether the supplied username or password is incorrect. 6) It is possible to disclose path information in 404 error messages returned by the service. SOLUTION: Restrict access to port 8022/tcp and don't visit other web sites while logged in. PROVIDED AND/OR DISCOVERED BY: 1, 3, 4) David Maciejak 2, 5, 6) Reported by an anonymous person. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Ipswitch WhatsUp Professional 2006 and Ipswitch WhatsUp Professional 2006 Premium allows remote attackers to obtain full path information via 404 error messages. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 1) Input passed to NmConsole/Navigation.asp and to the "sHostname" parameter in NmConsole/ToolResults.asp is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. Example: http://[host]:8022/NmConsole/Navigation.asp?">[code] 2) Input passed to NmConsole/Tools.asp and NmConsole/DeviceSelection.asp is also not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. 3) It's possible to disclose monitored devices without being logged in by passing arbitrary values to the "nDeviceGroupID" parameter in "NmConsole/utility/RenderMap.asp". Example: http://[host]:8022/NmConsole/utility/RenderMap.asp?nDeviceGroupID=2 4) Input passed to the "sRedirectUrl" and "sCancelURL" in NmConsole/DeviceSelection.asp is not properly verified, which makes it possible to redirect a user to an arbitrary web site. It is also possible to disclose the source code of the ASP pages by appending a period to the end of the file extension. 5) Different error messages are returned during login to "NmConsole/Login.asp" depending on whether the supplied username or password is incorrect. SOLUTION: Restrict access to port 8022/tcp and don't visit other web sites while logged in. PROVIDED AND/OR DISCOVERED BY: 1, 3, 4) David Maciejak 2, 5, 6) Reported by an anonymous person. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

NmConsole/utility/RenderMap.asp in Ipswitch WhatsUp Professional 2006 and WhatsUp Professional 2006 Premium allows remote attackers to obtain sensitive information about network nodes via a modified nDeviceGroupID parameter. WhatsUp is prone to a information disclosure vulnerability. 1) Input passed to NmConsole/Navigation.asp and to the "sHostname" parameter in NmConsole/ToolResults.asp is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. Example: http://[host]:8022/NmConsole/Navigation.asp?">[code] 2) Input passed to NmConsole/Tools.asp and NmConsole/DeviceSelection.asp is also not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. 3) It's possible to disclose monitored devices without being logged in by passing arbitrary values to the "nDeviceGroupID" parameter in "NmConsole/utility/RenderMap.asp". Example: http://[host]:8022/NmConsole/utility/RenderMap.asp?nDeviceGroupID=2 4) Input passed to the "sRedirectUrl" and "sCancelURL" in NmConsole/DeviceSelection.asp is not properly verified, which makes it possible to redirect a user to an arbitrary web site. It is also possible to disclose the source code of the ASP pages by appending a period to the end of the file extension. 5) Different error messages are returned during login to "NmConsole/Login.asp" depending on whether the supplied username or password is incorrect. 6) It is possible to disclose path information in 404 error messages returned by the service. Example: http://[host]:8022/NmConsole The vulnerabilities and weaknesses have been confirmed in WhatsUp Professional 2006. SOLUTION: Restrict access to port 8022/tcp and don't visit other web sites while logged in. PROVIDED AND/OR DISCOVERED BY: 1, 3, 4) David Maciejak 2, 5, 6) Reported by an anonymous person. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Ipswitch WhatsUp Professional 2006 and WhatsUp Professional 2006 Premium allows remote attackers to obtain source code for scripts via a trailing dot in a request to NmConsole/Login.asp. TITLE: WhatsUp Professional Cross-Site Scripting and Information Disclosure SECUNIA ADVISORY ID: SA20075 VERIFY ADVISORY: http://secunia.com/advisories/20075/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: Ipswitch WhatsUp Professional 2006 http://secunia.com/product/9917/ Ipswitch WhatsUp Professional 2006 Premium http://secunia.com/product/9918/ DESCRIPTION: Some vulnerabilities and weaknesses have been discovered in WhatsUp Professional, which can be exploited by malicious people to gain knowledge of certain information or conduct cross-site scripting attacks. 1) Input passed to NmConsole/Navigation.asp and to the "sHostname" parameter in NmConsole/ToolResults.asp is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. Example: http://[host]:8022/NmConsole/Navigation.asp?">[code] 2) Input passed to NmConsole/Tools.asp and NmConsole/DeviceSelection.asp is also not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. 3) It's possible to disclose monitored devices without being logged in by passing arbitrary values to the "nDeviceGroupID" parameter in "NmConsole/utility/RenderMap.asp". Example: http://[host]:8022/NmConsole/utility/RenderMap.asp?nDeviceGroupID=2 4) Input passed to the "sRedirectUrl" and "sCancelURL" in NmConsole/DeviceSelection.asp is not properly verified, which makes it possible to redirect a user to an arbitrary web site. It is also possible to disclose the source code of the ASP pages by appending a period to the end of the file extension. 5) Different error messages are returned during login to "NmConsole/Login.asp" depending on whether the supplied username or password is incorrect. 6) It is possible to disclose path information in 404 error messages returned by the service. SOLUTION: Restrict access to port 8022/tcp and don't visit other web sites while logged in. PROVIDED AND/OR DISCOVERED BY: 1, 3, 4) David Maciejak 2, 5, 6) Reported by an anonymous person. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in IPswitch WhatsUp Professional 2006 and WhatsUp Professional 2006 Premium allow remote attackers to inject arbitrary web script or HTML via the (1) sDeviceView or (2) nDeviceID parameter to (a) NmConsole/Navigation.asp or (3) sHostname parameter to (b) NmConsole/ToolResults.asp. WhatsUp Professional is prone to multiple input-validation vulnerabilities. The issues include remote file-include, information-disclosure, source-code disclosure, cross-site scripting, and input-validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. Successful exploits of these vulnerabilities could allow an attacker to access or modify data, steal cookie-based authentication credentials, perform username-enumeration, access sensitive information, and gain unauthorized access to script source code. Other attacks are also possible. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. Example: http://[host]:8022/NmConsole/Navigation.asp?">[code] 2) Input passed to NmConsole/Tools.asp and NmConsole/DeviceSelection.asp is also not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site. 3) It's possible to disclose monitored devices without being logged in by passing arbitrary values to the "nDeviceGroupID" parameter in "NmConsole/utility/RenderMap.asp". Example: http://[host]:8022/NmConsole/utility/RenderMap.asp?nDeviceGroupID=2 4) Input passed to the "sRedirectUrl" and "sCancelURL" in NmConsole/DeviceSelection.asp is not properly verified, which makes it possible to redirect a user to an arbitrary web site. It is also possible to disclose the source code of the ASP pages by appending a period to the end of the file extension. 5) Different error messages are returned during login to "NmConsole/Login.asp" depending on whether the supplied username or password is incorrect. 6) It is possible to disclose path information in 404 error messages returned by the service. SOLUTION: Restrict access to port 8022/tcp and don't visit other web sites while logged in. PROVIDED AND/OR DISCOVERED BY: 1, 3, 4) David Maciejak 2, 5, 6) Reported by an anonymous person. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The HTTP proxy in Symantec Gateway Security 5000 Series 2.0.1 and 3.0, and Enterprise Firewall 8.0, when NAT is being used, allows remote attackers to determine internal IP addresses by using malformed HTTP requests, as demonstrated using a get request without a space separating the URI. Symantec Enterprise Firewall and Gateway Security products are prone to an information-disclosure weakness. The vendor has reported that the NAT/HTTP proxy component of the products may reveal the internal IP addresses of protected computers. An attacker may use this information to carry out targeted attacks against a potentially vulnerable host. The weakness is caused due to an error when generating responses to certain HTTP requests. SOLUTION: Apply product updates. http://www.symantec.com/techsupp/enterprise/select_product_updates.html PROVIDED AND/OR DISCOVERED BY: The vendor credits Bernhard Mueller. ORIGINAL ADVISORY: Symantec: http://securityresponse.symantec.com/avcenter/security/Content/2006.05.10.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The transparent proxy feature of the Cisco Application Velocity System (AVS) 3110 5.0 and 4.0 and earlier, and 3120 5.0.0 and earlier, has a default configuration that allows remote attackers to proxy arbitrary TCP connections, aka Bug ID CSCsd32143. This software fails to allow only valid TCP ports to be used by remote users. Remote attackers may use the affected software as an open TCP proxy. Attackers have exploited this to send unsolicited commercial email (UCE). Versions of AVS prior to 5.0.1 are vulnerable to this issue. The problem is caused due to insecure default settings allowing anyone to use the device as an open relay to any TCP service able to process data embedded in HTTP POST requests. The security issue affects the following products: * AVS 3110 versions 4.0 and 5.0 (and prior) * AVS 3120 version 5.0.0 (and prior) NOTE: According to Cisco PSIRT, the security issue is actively exploited to send unsolicited commercial e-mails and obscure the true originator. SOLUTION: Update to version 5.0.1. Software for AVS 3110: http://www.cisco.com/pcgi-bin/tablebuild.pl/AVS3110-5.0.1 Software for AVS 3120: http://www.cisco.com/pcgi-bin/tablebuild.pl/AVS3120-5.0.1 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060510-avs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------