<<< Date Index >>>     <<< Thread Index >>>

Mercury SiteScope 8.2 (8.1.2.0) Cross Site Scripting (XSS) Vulnerability



Whitehat.org.uk Advisory (1)

Mercury SiteScope 8.2 (8.1.2.0) Cross Site Scripting (XSS) Vulnerability

Vulnerability Type: Active code injection (XSS)

Problem Discovered: 14 September 2006
Vendor Contacted: 14 September 2006
Advisory Published: 29 September 2006

Abstract:
Mercury SiteScope is an agentless system monitoring solution designed to ensure 
the availability and performance of distributed IT infrastructures available on 
the Microsoft Windows Server platform as well as others.

Description:
User supplied HTML code is executed by the sitescope.

Technical Details:

Mercury sitescope 8.2 does not correctly validate user submitted input, making 
it possible to execute user submitted code by the sitescope web engine.

1) With the exception of "create new group name", any field create name field 
was susceptible to exploitation.
2) Any "description" field was susceptible to exploitation.

Additional Issues: 
Attempting to inject HTML code in the "new monitor description" field resulted 
in a loss of connectivity to the classic interface.

Workaround:
None at present - This may be considered a low risk issue as the user will need 
to be authenticated in order inject the maliciuos code, however, this attack 
vector could leveraged to steal session information. The vendor has been 
notified, however, has been non-responsive.

Tested Versions:
Mercury Sitescope 8.2 on Windows 2003 server - avaliable from 
http://www.mercury.com

Credits: Ozkan Aziz

Greetings: Gyan (dude), Varun :) , Gerald (Wheeey), Chitt (eCrimes)

Disclaimer:
This advisory intended to be informational. No responsibility is taken for its 
misuse.