Dell packetTrap PSA多个HTML注入漏洞发布日期:2013-07-18
更新日期:2013-07-19受影响系统:
Dell packetTrap PSA
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 61318Dell packetTrap PSA是IT管理和网络监控软件。Dell packetTrap PSA 7.1存在多个HTML注入漏洞,成功利用后可使攻击者提供的HTML和脚本代码运行在受影响浏览器上下文中,执行未授权数据库操作。<*来源:Benjamin Kunz Mejri
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!Review: Contract Overview & Edit - Listing<div class="objectHead">
<h1>Contract: <span id="lblPageTitle">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></h1>
<h2><a href="https://www.example.com/customers/customer.aspx?customerId=33628564";><span
id="lblCustomerName">Sample Customer</span></a></h2>
</div>... &<td style="width:130px;" class="formLabel">Contract Name:</td>
<td style="width:auto;">
<span id="txtContractName">"><[PERSISTENT INJECTED SCRIPT CODE!]></span>
</td>
</tr>
Review: Equipment Item Overview & Edit - Listing<td class="formLabel">
Purchase Info.:
</td>
<td>
<span id="lblPurchaseInfo">Purchased on Dec 11, 2012 from "><[PERSISTENT INJECTED SCRIPT CODE!]></span>
</td>
</tr>
Review: Import Customer Equipment Records Overview - Listing</tr><tr class="gridItem" valign="top">
<td><!--?php</td-->
</td></tr><tr class="gridItem" valign="top">
<td>phpinfo();</td> O_O
</tr><tr class="gridItem" valign="top">
<td>?></td>
</tr><tr class="gridItem" valign="top">
<td>><[PERSISTENT INJECTED SCRIPT CODE!](</td">
</tr>
</table>
Review: Labor Rate Details - Listing<td class="formLabel">
Name/No.:</td>
<td>
<span id="lblItemNo">"><[PERSISTENT INJECTED SCRIPT CODE!]></span>
</td>
</tr>
<tr>
<td class="formLabel">Description:</td>
<td>
<span id="lblDescription">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td>
</tr>... &<td class="formLabel">Account Name:</td>
<td>
<span id="lblAccountName">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td>
</tr>
Review: Materials Item Overview - Listing<span id="lblItemNo">"><[PERSISTENT INJECTED SCRIPT CODE!]">
</td>
</tr>
<tr>
<td class="formLabel">
Description:</td>
<td>
<span id="lblDescription">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td>
</tr>... &<table border="0" cellpadding="4" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2">
<hr></td>
</tr>
<tr>
<td style="width:130px;" class="formLabel">Manufacturer:</td>
<td style="width:auto;">
<span id="lblMfrName">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td>
</tr>
<tr><td class="formLabel">Mfr. Item No.:</td>
<td>
<span id="lblMfrItemNo">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td>
</tr>
<tr><td class="formLabel">Mfr. Item Desc.:</td>
<td>
<span id="lblMfrDescription">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td>
</tr>
... &
<tr><td class="formLabel">Account Name:</td>
<td>
<span id="lblAccountName">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td>
</tr>
<tr>
<td colspan="2">
<hr></td>
</tr>
<tr>
<td class="formLabel">Id:</td>
<td>
<span id="lblItemId">33583304</span></td>
</tr>
<tr>
<td class="formLabel">Created:</td>
<td>
<span id="lblCreated">by the storm on Dec 9, 2012 at 5:11 PM</span></td>
</tr>
<tr>
<td colspan="2">
<hr></td>
</tr>
<tr>
<td class="formLabel">Notes:</td>
<td>
<span id="lblNotes">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td>
</tr> Review: New customer Account Details - Listing<tbody><tr>
<td style="width: 130px;">
<strong>Primary Contact:</strong>
</td>
<td style="width: auto;">
<span id="lblPrimaryContact"><a href="https://www.example.com/customers/contact.aspx?customerId=33628565&;
contactId=33637457">"><iframe src=http://www. "><iframe src=http://www.</a>, () -,
<a href="mailto:";><[PERSISTENT INJECTED SCRIPT CODE!]>">"><[PERSISTENT INJECTED SCRIPT CODE!]></a></span>
</td>
</tr>
<tr>
<td>
<strong>Primary Location:</strong>
</td>
<td>
<span id="lblPrimaryLocation"><a href="https://www.example.com/customers/location.aspx?customerId=33628565&;
locationID=33649992">"><[PERSISTENT INJECTED SCRIPT CODE!]</a>, "><[PERSISTENT INJECTED SCRIPT CODE!]>
(<a href="https://www.example.com/tools/getMap.aspx?customerLocationId=33649992"; class="map-link">Get
Map</a>)</span>
</td>
</tr>
</tbody>
Review: Report - Listing<div class="ReportHeader">
<h1><span id="lblPageTitle">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></h1>
</div>
<div class="ReportBody">
<input name="TempSortCol" id="TempSortCol" type="hidden">
<input name="TempSortOrder" id="TempSortOrder" type="hidden"><div id="ReportParameters" class="ReportParameters2">
<div id="StandardFilters_ReportParameters"><div class="ParameterGroupHead">
<span class="ui-corner-tr">Time Frame</span>
</div>建议:
--------------------------------------------------------------------------------
厂商补丁:Dell
----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://www.dell.com/support/drivers/us/en/HP System Management Homepage 远程拒绝服务漏洞(CVE-2013-2357)HP System Management Homepage 远程跨站脚本漏洞(CVE-2013-2364)相关资讯 Dell packetTrap PSA 本文评论 查看全部评论 (0)
评论声明- 尊重网上道德,遵守中华人民共和国的各项有关法律法规
- 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
- 本站管理人员有权保留或删除其管辖留言中的任意内容
- 本站有权在网站内转载或引用您的评论
- 参与本评论即表
|
易网时代-编程资源站