exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Proventia Network Mail Security System Cross Site Request Forgery

Proventia Network Mail Security System Cross Site Request Forgery
Posted Sep 14, 2010
Authored by Dr. Marian Ventuneac

Web-based Local Management Interface (LMI) of IBM Proventia Network Mail Security System appliance (firmware 1.6 and 2.5) is vulnerable to XSRF attacks. When exploited by an attacker, the identified vulnerabilities could lead to compromising the security of the appliance, including unauthorized alteration of appliance's settings, DoS attacks, etc.

tags | advisory, web, local, vulnerability
advisories | CVE-2010-0153
SHA-256 | e79b5a9fb4e89af714cf275dfcd4e03761b0ba0e0db20144b1e00d48f36b7d68

Proventia Network Mail Security System Cross Site Request Forgery

Change Mirror Download



Security Advisory: MVSA-10-006 / CVE-2010-0153
Vendor: IBM
Products: Proventia Network Mail Security System
Vulnerabilities: Cross-Site Request Forgery (XSRF)
Risk: High
Attack Vector: From Remote
Authentication: Required
Reference: http://www.ventuneac.net/security-advisories/MVSA-10-006


Description

Web-based Local Management Interface (LMI) of IBM Proventia Network Mail Security System appliance (firmware 1.6 and 2.5) is vulnerable to XSRF attacks. When exploited by an attacker, the identified vulnerabilities could lead to compromising the security of the appliance, including unauthorized alteration of appliance's settings, DoS attacks, etc.


Affected Versions

IBM Proventia Network Mail Security System - virtual appliance (firmware 1.6)
IBM Proventia Network Mail Security System - virtual appliance (firmware 2.5)


Mitigation

Vendor recommends upgrading to PNMSS firmware 2.5.0.2 or later.
Alternatively, please contact IBM for technical support.


Disclosure Timeline

2009, November 07: Vulnerabilities discovered and documented
2009, November 08: Notification sent to IBM
2009, November 09: IBM acknowledges receiving the report
2010, March: IBM releases PNMSS Firmware 2.5.0.2 correcting the reported issues
2010, September 12: MVSA-10-006 advisory published.


Credits

Dr. Marian Ventuneac
http://ventuneac.net
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close