Back to list
SQL-injection, XSS in OSSIM (Open Source Security Information Management)
Feb 21 2008 12:47PM
marcin kopec hotmail com
Re: SQL-injection, XSS in OSSIM (Open Source Security Information Management)
Feb 22 2008 07:50AM
Dominique Karg (dk ossim net)
I can confirm this affecting earlier versions as well, the XSS has
been fixed some months ago, the SQL Injection (and others) were caused
by a failure in the "punctuation" validation regexp. Just fixed that
one as well as some others.
We're going to release a fixed version asap after stopping development
in order to get a throughout security audit done. The SQL regexp I
just fixed and we'll update the packages today.
Nonetheless, exposure should be minimal since:
a) You aren't going to provide public access to your SIM console,
aren't you ?
b) Regarding the specific SQL injection mentioned in here (as said,
there are more we're going to fix), you shouldn't give access to the
policy section to normal users either.
I must thank you for pointing this out but would've appreciate a more
"direct" contact, as it is considered a polite way of releasing bugs.
Am 21.02.2008 um 13:47 schrieb marcin.kopec (at) hotmail (dot) com [email concealed]:
> Application: OSSIM
> Version: 0.9.9rc5
> Note: it is possible that the problem affects also earlier OSSIM
> Platforms: Linux
> Bug: SQL injection, Cross Site Scripting
> Exploitation: remote
> Date: 21 Feb 2008
> Author: Marcin Kopec
> E-mail: marcin(dot)kopec(at)hotmail(dot)com
> 1) Introduction
> OSSIM it's a free implementation of Security Information Management
> (SIM) system, equipped with many useful security tools (nessus,
> snort, p0f, ntop, ...) managed from easy-to-use web panel.
> 2) SQL injection
> The bug exist in portname parameter of modifyportform.php
> It's possible to obtain hashed administrator password when user have
> rights to do port modification in "PORTS" tab.
> 3) XSS
> Quotes in OSSIM aren't property sanitized.
> Below XSS may be executed without logging into the OSSIM.
[ reply ]
Copyright 2010, SecurityFocus