Mercury SiteScope 8.2 (8.1.2.0) Cross Site Scripting (XSS) Vulnerability
Whitehat.org.uk Advisory (1)
Mercury SiteScope 8.2 (8.1.2.0) Cross Site Scripting (XSS) Vulnerability
Vulnerability Type: Active code injection (XSS)
Problem Discovered: 14 September 2006
Vendor Contacted: 14 September 2006
Advisory Published: 29 September 2006
Abstract:
Mercury SiteScope is an agentless system monitoring solution designed to ensure
the availability and performance of distributed IT infrastructures available on
the Microsoft Windows Server platform as well as others.
Description:
User supplied HTML code is executed by the sitescope.
Technical Details:
Mercury sitescope 8.2 does not correctly validate user submitted input, making
it possible to execute user submitted code by the sitescope web engine.
1) With the exception of "create new group name", any field create name field
was susceptible to exploitation.
2) Any "description" field was susceptible to exploitation.
Additional Issues:
Attempting to inject HTML code in the "new monitor description" field resulted
in a loss of connectivity to the classic interface.
Workaround:
None at present - This may be considered a low risk issue as the user will need
to be authenticated in order inject the maliciuos code, however, this attack
vector could leveraged to steal session information. The vendor has been
notified, however, has been non-responsive.
Tested Versions:
Mercury Sitescope 8.2 on Windows 2003 server - avaliable from
http://www.mercury.com
Credits: Ozkan Aziz
Greetings: Gyan (dude), Varun :) , Gerald (Wheeey), Chitt (eCrimes)
Disclaimer:
This advisory intended to be informational. No responsibility is taken for its
misuse.