[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVE-2014-4980 Parameter Tampering in Nessus Web UI - Remote Information Disclosure
- To: bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: CVE-2014-4980 Parameter Tampering in Nessus Web UI - Remote Information Disclosure
- From: i amroot <i@xxxxxxxxxx>
- Date: Fri, 18 Jul 2014 08:49:47 -0600 (EAST)
Product: Nessus
Vendor: Tenable Network Security
Version: Nessus 5.2.3-5.2.7 - Web UI 2.3.4 (potentially lower)
Vendor Notified Date: June 24, 2014
Vendor Resolved Date: June 25, 2014
Release Date: July 18, 2014
Risk: Medium
Authentication: Not Required
Remote: Yes
Description:
A parameter tampering vulnerability exists in Nessus 5.2.7 and potentially
below that allows remote attackers to retrieve potentially sensitive
information from the server via the Nessus Web UI. By not checking each
parameter, an attacker can retrieve information meant for authenticated users.
Successful exploitation of this vulnerability resulted in retrieving the
following data without authentication, which can assist an attacker to
launching further attacks:
Plugin Set, Server uuid, Web Server Version, Nessus UI Version, Nessus Type,
Notifications, MSP, Capabilities, Multi Scanner, Multi User, Tags, Reset
Password, Report Diff, Report Email Config, Report Email, PCI Upload, Plugin
Rules, Plugin Set, Idle Timeout, Scanner Boot time, Server Version, Feed, and
Status.
Exploit steps for proof-of-concept:
1. Navigate to http://vulnerablehost.com/server/properties?token= and observe
the returned content.
2. Navigate to http://vulnerablehost.com/server/properties?token=1 and observe
the newly returned content meant for authenticated sessions.
Vendor Response: Fix was added to Web UI 2.3.5 on June 25, 2014.
Reference:
CVE-2014-4980
http://www.halock.com/blog/cve-2014-4980-parameter-tampering-nessus-web-ui/
http://www.tenable.com/security/tns-2014-05
Credit:
Robert Gilbert
HALOCK Security Labs