Dr. Web Control Center 6.00.3.201111300 – Cross-Site Scripting

• Exploit Database
• 12 阅读

• 作者： Oliver Karow
  日期： 2012-07-31
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/20124/

• Dr. Web Control Center Admin UI Remote Script Code Injection
  =============================================================
  
  Affected Products/Versions
  --------------------------
  
  Product Name: Dr. Web Enterprise Server
  Version Number: 6.00.3.201111300
  
  
  Product/Company Information
  ---------------------------
  
  >From Dr. Web's website:
  
  "Dr.Web Enterprise Security Suite is a set of Dr.Web software products incorporating anti-viruses 
  for protection of all hosts in a corporate network and a single Control Center for managing most of the products."
  
  
  Dr. Web's Website can be found at http://www.drweb.com
  
  
  Vulnerability Description
  -------------------------
  
  Dr. Web Enterprise Security Suite is managed via a web based interface called Control Center.
  
  If an attacker suplies java script code instead of a username on the login page, this script code will be automatically executed
  every time an administrative user is viewing the audit log.
  
  This attack can be used to steal authentication cookies or to drive further attacks.
  
  
  
  Patch Information
  -----------------
  
  Patch is available from vendor.
  
  
  Advisory Information
  ---------------------
  
  This: http://www.oliverkarow.de/research/drweb.txt
  
  
  History
  -------
  
  13/07/2012 - Informing Dr. Web about vulnerability
  16/07/2012 - Initial response from Dr. Web
  23/07/2012 - Fix successfully tested, sent response to Dr. Web
  30/07/2012 - Advisory release