what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Tembria Server Monitor Cross Site Scripting

Tembria Server Monitor Cross Site Scripting
Posted Feb 15, 2011
Authored by Rob Kraus, Jose R. Hernandez | Site solutionary.com

Tembria Server Monitor suffers from multiple cross site scripting vulnerabilities.

tags | advisory, vulnerability, xss
SHA-256 | bd43f55446ef0b1ec184ba04169d7ae96d5669d34c462d144c86fcb05e1fc3d3

Tembria Server Monitor Cross Site Scripting

Change Mirror Download
Tembria Server Monitor Multiple Cross-site Scripting (XSS) Vulnerabilities

Solutionary ID: SERT-VDN-1003

Solutionary Disclosure URL: http://www.solutionary.com/index/SERT/Vuln-Disclosures/Tembria-Server-Monitor-XSS.html

CVE ID: Pending

Product: Tembria Server Monitor

Application Vendor: Tembria

Vendor URL: http://www.tembria.com/products/servermonitor/index.html

Date discovered: 1/22/2011

Discovered by: Rob Kraus, Jose Hernandez, and Solutionary
Engineering Research Team (SERT)

Vendor notification date: 1/25/2011

Vendor response date: 1/25/2011

Vendor acknowledgment date: 1/25/2011

Public disclosure date: 2/14/2011

Type of vulnerability: Cross-Site Scripting (XSS) - Reflected

Exploit Vectors: Local and Remote

Vulnerability Description: The Web application management interface of Server Monitor contains multiple injection points, which allow for execution of Cross-site Scripting (XSS) attacks. Arbitrary client side code such as JavaScript can be included into certain parameters throughout the Web application. The following parameters and Web pages have been tested and verified; however, it is likely more views and parameters within the application are vulnerable:

event-history.asp (siteid, type) parameter
admin-history.asp (siteid, type) parameters
dashboard-view.asp (siteid, id) parameters
device-events.asp (siteid, dn) parameters
device-finder.asp (siteid, submit) parameters
device-list.asp (siteid, action, sel) parameters
device-monitors.asp (siteid, dn) parameters
device-views.asp (siteid, type) parameters
logbook.asp (siteid) parameter
monitor-events.asp (siteid) parameter
monitor-list.asp (siteid, action, sel) parameters
monitor-views.asp (siteid, type) parameters
reports-config-by-device.asp (siteid) parameter
reports-config-by-monitor.asp (siteid) parameter
reports-list.asp (siteid, sel) parameters
reports-monitoring-queue.asp (siteid) parameter
site-list.asp (action) parameter

Tested on: Windows XP, SP3, with Tembria Server Monitor v6.0.4 - Build 2229 default installation.

Affected software versions: Tembria Server Monitor v6.0.4 - Build 2229 (previous versions may also be vulnerable)

Impact: Successful attacks could disclose sensitive information about the user, session, and application to the attacker, resulting in a loss of confidentiality. Using XSS, an attacker could insert malicious code into a web page and entice naïve users to execute the malicious code.

Fixed in: Tembria Server Monitor v6.0.5 - Build 2252

Remediation guidelines: The vendor has created a fix for the vulnerabilities identified. Please update to version 6.0.5 - Build 2252 or newer.

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close