Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

DDIVRT-2009-20 NetMRI Login Application Cross-site Scripting Vulnerability
From: "DDI_Vulnerability_Alert" <DDI.VulnerabilityAlert () ddifrontline com>
Date: Wed, 18 Feb 2009 11:23:47 -0600

Title

-----

DDIVRT-2009-20 NetMRI Login Application Cross-site Scripting
Vulnerability

 

Severity

--------

Low

 

Date Discovered

---------------

January 19th 2009

 

Discovered By

-------------

Digital Defense, Inc. Vulnerability Research Team

Credit: David Marshall and r () b13$

 

Vulnerability Description

-------------------------

NetMRI contains a cross-site scripting (XSS) issue whereby portions of
the GET request are echoed back in an error page. This allows scripting
tags to be executed by the browser to perform XSS attacks. Such an
attack would require convincing a user to click on a specially crafted
link.

 

Solution Description

--------------------

On February 18, 2009, Netcordia released a patch named
"CrossScriptPatch.gpg" to address this vulnerability in all currently
supported versions of NetMRI through v3.0.1.  Customers can acquire the
patch through the normal mechanisms or contact Netcordia Technical
Support (support () netcordia com) for assistance.  Additionally, the
necessary changes will be incorporated in future versions beginning with
NetMRI v3.0.2.

 

Tested Systems / Software (with versions)

------------------------------------------

Red Hat Linux, NetMRI

 

Vendor Contact

--------------

Name: Netcordia

Website: http://www.netcordia.com/products/netmri-event-analysis.asp

Contact Information: http://www.netcordia.com/contact/index.asp
<http://www.netcordia.com/contact/index.asp> 

 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • DDIVRT-2009-20 NetMRI Login Application Cross-site Scripting Vulnerability DDI_Vulnerability_Alert (Feb 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault