Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Netsweeper Internet Filter WebAdmin Portal multiple vulnerabilities
Informations
Name VU#763795 First vendor Publication 2012-07-09
Vendor VU-CERT Last vendor Modification 2012-08-20
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#763795

Netsweeper Internet Filter WebAdmin Portal multiple vulnerabilities

Original Release date: 09 Jul 2012 | Last revised: 20 Aug 2012

Overview

Netsweeper Internet Filter WebAdmin Portal contains XSS, CSRF and SQLi vulnerabilities.

Description

Netsweeper Internet Filter's WebAdmin Portal contains the following XSS, CSRF and SQLi vulnerabilities.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVE-2012-2446:
(1) The Netsweeper Internet Filter WebAdmin Portal is vulnerable to reflective XSS using the HTTP POST method to the /webadmin/tools/local_lookup.php?action=lookup function using the group parameter. The reflective XSS reported allows for information disclosure and arbitrary JavaScript code execution that can lead to the compromise of a user's account, machine, or other sensitive information.

CWE-352: Cross-Site Request Forgery (CSRF) CVE-2012-2447:
(2) The Netsweeper Internet Filter WebAdmin Portal is vulnerable to CSRF using the HTTP POST method in the /webadmin/accountmgr/adminupdate.php?act=add function. The CSRF reported allows for a breach in the content filtering system resulting in complete compromise of an organizations Internet content filter and control over users internet traffic.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CVE-2012-3859
(3) The Netsweeper Internet Filter WebAdmin Portal is vulnerable to SQL injection, in the sortorder and sortitem variables. An example of a vulnerable url is http://SERVER_Hostname/webadmin/reporter/view_details.php?sortitem=report_date&sortorder=asc&type=demand&id=1441.

Impact

An attacker with access to the Netsweeper Internet Filter WebAdmin Portal web interface can conduct a cross-site scripting, cross-site request forgery, or sql injection attack, which could be used to result in information leakage, privilege escalation, and/or denial of service.

Solution

Update

The vendor has stated that these vulnerabilities have been addressed in Netsweeper version 3.0.6. Users are advised to upgrade to version 3.0.6 or higher.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS, CSRF, or SQLi attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the Netsweeper Internet Filter WebAdmin Portal web interface using stolen credentials from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
netsweeperAffected04 Jun 201228 Jun 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base6.3AV:N/AC:M/Au:S/C:C/I:N/A:N
Temporal4.8E:POC/RL:W/RC:UC
Environmental1.3CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

  • http://www.netsweeper.com/
  • http://cwe.mitre.org/data/definitions/79.html
  • http://cwe.mitre.org/data/definitions/352.html
  • http://cwe.mitre.org/data/definitions/89.html
  • http://infosec42.blogspot.com/2012/07/cve-2012-2446-cve-2012-2447-cve-2012.html

Credit

Thanks to Jacob Holcomb of Leland Public Schools for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs:CVE-2012-2446CVE-2012-2447CVE-2012-3859
  • Date Public:09 Jul 2012
  • Date First Published:09 Jul 2012
  • Date Last Updated:20 Aug 2012
  • Document Revision:24

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.


This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

Original Source

Url : http://www.kb.cert.org/vuls/id/763795

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-352 Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)
50 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

ExploitDB Exploits

id Description
2012-09-17 Netsweeper WebAdmin Portal Multiple Vulnerabilities
2012-07-10 Netsweeper WebAdmin Portal Multiple Vulnerabilities