AOH :: HP Unsorted N :: VA2649.HTM

NetMRI Login Application Cross-site Scripting Vulnerability



DDIVRT-2009-20 NetMRI Login Application Cross-site Scripting Vulnerability
DDIVRT-2009-20 NetMRI Login Application Cross-site Scripting Vulnerability



Title
-----
DDIVRT-2009-20 NetMRI Login Application Cross-site Scripting Vulnerability

Severity
--------
Low

Date Discovered
---------------
January 19th 2009

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: David Marshall and r@b13$

Vulnerability Description
-------------------------
NetMRI contains a cross-site scripting (XSS) issue whereby portions of the GET request are echoed back in an error page. This allows scripting tags to be executed by the browser to perform XSS attacks. Such an attack would require convincing a user to click on a specially crafted link.

Solution Description
--------------------
On February 18, 2009, Netcordia released a patch named "CrossScriptPatch.gpg" to address this vulnerability in all currently supported versions of NetMRI through v3.0.1. Customers can acquire the patch through the normal mechanisms or contact Netcordia Technical Support (support@netcordia.com) for assistance. Additionally, the necessary changes will be incorporated in future versions beginning with NetMRI v3.0.2. 

Tested Systems / Software (with versions)
------------------------------------------
Red Hat Linux, NetMRI

Vendor Contact
--------------
Name: Netcordia
Website: http://www.netcordia.com/products/netmri-event-analysis.asp 
Contact Information: http://www.netcordia.com/contact/index.asp 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.