Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29163
HistoryMar 11, 2013 - 12:00 a.m.

[IA32] HP Intelligent Management Center v5.1 E0202 topoContent.jsf Non-Persistent Cross-Site Scripting

2013-03-1100:00:00
vulners.com
26

Inshell Security Advisory
http://www.inshell.net

  1. ADVISORY INFORMATION

Product: HP Intelligent Management Center
Vendor URL: www.hp.com
Type: Cross-Site Scripting [CWE-79]
Date found: 2012-06-08
Date published: 2013-03-04
CVSSv2 Score: CWE-79: 3,5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVE: -

  1. CREDITS

This vulnerability was discovered and researched by Julien Ahrens from
Inshell Security.

  1. VERSIONS AFFECTED

HP Intelligent Management Center v5.1 E0202, older versions may be
affected too.

  1. VULNERABILITY DESCRIPTION

An Non-Persistent Cross-Site Scripting vulnerability has been identified
in HP Intelligent Management Center v5.1 E0202.

Vulnerable module (all parameters):
+/imc/topo/topoContent.jsf

An attacker could temporarily inject arbitrary code with authenticated
user interaction into the context of the admin - interface. Successful
exploitation of the vulnerability allows for example cookie theft,
session hijacking or client side context manipulation.

  1. PROOF-OF-CONCEPT (Code / Exploit)

http://localhost:8080/imc/topo/topoContent.jsf?opentopo_symbolid="><img
src="http://security.inshell.net/img/logo.png"
onload=alert('XSS');>&opentopo_loader=null&opentopo_level1nodeid=3&topoorientation_parentsymbolid=null&topoorientation_devsymbolid=null&topoorientation_level1nodeid=null&topoorientation_loader=null&checknode=null&ywkeys=isvlan&ywvalues=1&uselefttree=null&usetabpane=null&HandleMode=null&toponamelist=null

For additional screenshots and/or PoCs visit:
http://security.inshell.net/advisory/32

  1. SOLUTION

Update to latest version v5.2 E401

  1. REPORT TIMELINE

2012-06-08: Discovery of the vulnerability
2012-06-08: Vendor assigns security tracking identifier "SSRT100881"
2012-06-16: Vendor evaluates the problem report
2012-06-29: Public disclosure date reached, contacting vendor
2012-06-29: Vendor responds with "not even close to being ready"
2012-07-01: Asking for an appropriate timeframe
2012-07-08: Vendor statement: No timeframe available yet
2012-08-01: Request for status update
2012-08-06: Vendor is not able to reproduce the problem
2012-08-06: Providing additional PoC-Code
2012-10-04: Vendor provides new build for testing
2012-10-16: Confirmation that the issue is fixed
2012-11-09: Request for status update
2012-11-16: Vendor gives update on release timeframe
2013-02-19: Vendor releases v5.2 E401 which fixes the problem
2013-03-04: Coordinated Disclosure

  1. REFERENCES

http://security.inshell.net/advisory/32