[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [Bkis-09-2009] XSS vulnerability in 'Monitor_Bandwidth' - PRTG Traffic Grapher



XSS vulnerability in 'Monitor_Bandwidth' - PRTG Traffic Grapher 
<http://blog.bkis.com/?p=704>

1. General information

PRTG Traffic Grapher is a network monitoring solution, which helps 
manage and classify bandwidth usage of a network by providing accurate 
results about network traffic and usage trends in graphs and tables. The 
software also supports SNMP (Simple Network Management Protocol). PRTG 
Traffic Grapher is available at http://www.paessler.com.

In April 2009, Bkis discovered a vulnerability in PRTG Traffic Grapher. 
A hacker might exploit this hole to insert malicious codes into links to 
be executed in the user’ browsers, resulting in the loss of cookies, 
session, etc.

Bkis has sent the warning to PRTG Traffic Grapher developer and the 
vulnerability has now been fixed.

Details : http://blog.bkis.com/?p=704
Bkis Advisory : Bkis-09-2009.
Initial vendor notification : 11/05/2009
Release Date : 28/05/2009
Update Date : 28/05/2009
Discovered by : Truong Truong Quan, Bkis.
Attack Type : XSS.
Security Rating : High.
Impact : Code Execution.
Affected Software : PRTG Traffic Grapher V6.2.2.977 and earlier versions.

2. Technical details

The identified XSS vulnerability resides in the Monitor_Bandwidth 
function of the software. Specifically, the software fails to adequately 
validate the input parameters.

To exploit the hole, hackers will trick users into accessing the links 
containing malicious scripts. If users have already logged in PRTG 
Traffic Grapher as administrators, the hackers will be able to gain the 
control over the work sessions and then the complete control over PRTG 
Traffice Grapher.

3. Solution
Bkis recommends that organizations, businesses using PRTG Traffic 
Grapher immediately get the latest version of the software at 
http://www.paessler.com/prtg6/download

Bkis


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/