exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

AlienVault USM/OSSIM 5.2 Cross Site Scripting

AlienVault USM/OSSIM 5.2 Cross Site Scripting
Posted Aug 24, 2016
Authored by Julien Ahrens | Site rcesecurity.com

AlienVault USM/OSSIM version 5.2 suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2016-6913
SHA-256 | 52d6e5998255d0e9741227d3f9f592c61f60e95789c4df2d2c3f1ba5af0dbda1

AlienVault USM/OSSIM 5.2 Cross Site Scripting

Change Mirror Download
RCE Security Advisory
https://www.rcesecurity.com


1. ADVISORY INFORMATION
=======================
Product: AlienVault USM/OSSIM
Vendor URL: www.alienvault.com
Type: Cross-Site Scripting [CWE-79]
Date found: 2016-05-24
Date published: 2016-08-23
CVSSv3 Score: 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVE: CVE-2016-6913


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
AlienVault OSSIM 5.2
AlienVault USM 5.2
older versions may be affected too.


4. INTRODUCTION
===============
OSSIM, AlienVaultas Open Source Security Information and Event Management
(SIEM) product, provides you with a feature-rich open source SIEM complete
with event collection, normalization and correlation. Launched by security
engineers because of the lack of available open source products, OSSIM was
created specifically to address the reality many security professionals
face: A SIEM, whether it is open source or commercial, is virtually useless
without the basic security controls necessary for security visibility.

(from the vendor's homepage)


5. VULNERABILITY DETAILS
========================
The script "/ossim/conf/reload.php" is vulnerable to an authenticated
DOM-based Cross-Site Scripting vulnerability when user-supplied input to the
HTTP GET parameter "back" is processed by the web application. Since the
application does not properly validate and sanitize this parameter, it is
possible to place arbitrary script code in a document.location.href property
which could also be used to redirect a user.

The following Proof-of-Concept triggers this vulnerability:
https://127.0.0.1/ossim/conf/reload.php?what=policies&back=\%27;alert(/XSS/);//

The payload is used in a JavaScript, which is embedded within the
"/ossim/conf/reload.php" page:

<script type="text/javascript">
$(document).ready(function(){
if (typeof(top.refresh_notifications) == 'function')
{
top.refresh_notifications()
}

document.location.href = '\\';alert(/XSS/);//';
});
</script>


6. RISK
=======
To successfully exploit this vulnerability an authenticated user must be
tricked into visiting an arbitrary website while having an authenticated
session in the application.

The vulnerability can be used to temporarily embed arbitrary script code
into the context of the AlienVault administrative interface, which offers a
wide range of possible attacks such as redirecting the user to a malicious
page or attacking the browser and its plugins.


7. SOLUTION
===========
Update to AlienVault OSSIM/USM 5.3


8. REPORT TIMELINE
==================
2016-05-24: Discovery of the vulnerability
2016-05-24: Notified vendor via public security mail address
2016-05-31: No response, sent out another notification
2016-06-03: Vendor evaluates the vulnerability information
2016-06-23: Vendor confirms the vulnerability
2016-07-12: Vendor sets release date of the fix to 2016-08-02
2016-07-22: CVE requested from MITRE
2016-08-02: Vendor releases advisory ENG-103709
2016-08-23: MITRE assigns CVE-2016-6913
2016-08-23: Advisory released


9. REFERENCES
=============
https://www.alienvault.com/forums/discussion/7558/

Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close