Tembria Server Monitor Multiple Cross-site Scripting (XSS) Vulnerabilities

[robkraus]

Tembria Server Monitor Multiple Cross-site Scripting (XSS) Vulnerabilities



Solutionary ID: SERT-VDN-1003



Solutionary Disclosure URL: 
http://www.solutionary.com/index/SERT/Vuln-Disclosures/Tembria-Server-Monitor-XSS.html



CVE ID: Pending 



Product: Tembria Server Monitor 



Application Vendor: Tembria 



Vendor URL: http://www.tembria.com/products/servermonitor/index.html 



Date discovered: 1/22/2011 



Discovered by: Rob Kraus, Jose Hernandez, and Solutionary 

Engineering Research Team (SERT) 



Vendor notification date: 1/25/2011 



Vendor response date: 1/25/2011 



Vendor acknowledgment date: 1/25/2011 



Public disclosure date: 2/14/2011



Type of vulnerability: Cross-Site Scripting (XSS) - Reflected



Exploit Vectors: Local and Remote



Vulnerability Description: The Web application management interface of Server 
Monitor contains multiple injection points, which allow for execution of 
Cross-site Scripting (XSS) attacks. Arbitrary client side code such as 
JavaScript can be included into certain parameters throughout the Web 
application. The following parameters and Web pages have been tested and 
verified; however, it is likely more views and parameters within the 
application are vulnerable: 



event-history.asp (siteid, type) parameter 

admin-history.asp (siteid, type) parameters 

dashboard-view.asp (siteid, id) parameters 

device-events.asp (siteid, dn) parameters 

device-finder.asp (siteid, submit) parameters 

device-list.asp (siteid, action, sel) parameters 

device-monitors.asp (siteid, dn) parameters 

device-views.asp (siteid, type) parameters 

logbook.asp (siteid) parameter 

monitor-events.asp (siteid) parameter 

monitor-list.asp (siteid, action, sel) parameters 

monitor-views.asp (siteid, type) parameters 

reports-config-by-device.asp (siteid) parameter 

reports-config-by-monitor.asp (siteid) parameter 

reports-list.asp (siteid, sel) parameters 

reports-monitoring-queue.asp (siteid) parameter

site-list.asp (action) parameter 



Tested on: Windows XP, SP3, with Tembria Server Monitor v6.0.4 - Build 2229 
default installation. 



Affected software versions: Tembria Server Monitor v6.0.4 - Build 2229 
(previous versions may also be vulnerable)



Impact: Successful attacks could disclose sensitive information about the user, 
session, and application to the attacker, resulting in a loss of 
confidentiality. Using XSS, an attacker could insert malicious code into a web 
page and entice naïve users to execute the malicious code.



Fixed in: Tembria Server Monitor v6.0.5 - Build 2252



Remediation guidelines: The vendor has created a fix for the vulnerabilities 
identified. Please update to version 6.0.5 - Build 2252 or newer.