DDIVRT-2009-20 NetMRI Login Application Cross-site Scripting Vulnerability
Title
-----
DDIVRT-2009-20 NetMRI Login Application Cross-site Scripting Vulnerability
Severity
--------
Low
Date Discovered
---------------
January 19th 2009
Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: David Marshall and r@b13$
Vulnerability Description
-------------------------
NetMRI contains a cross-site scripting (XSS) issue whereby portions of the GET
request are echoed back in an error page. This allows scripting tags to be
executed by the browser to perform XSS attacks. Such an attack would require
convincing a user to click on a specially crafted link.
Solution Description
--------------------
On February 18, 2009, Netcordia released a patch named "CrossScriptPatch.gpg"
to address this vulnerability in all currently supported versions of NetMRI
through v3.0.1. Customers can acquire the patch through the normal mechanisms
or contact Netcordia Technical Support (support@xxxxxxxxxxxxx) for assistance.
Additionally, the necessary changes will be incorporated in future versions
beginning with NetMRI v3.0.2.
Tested Systems / Software (with versions)
------------------------------------------
Red Hat Linux, NetMRI
Vendor Contact
--------------
Name: Netcordia
Website: http://www.netcordia.com/products/netmri-event-analysis.asp
Contact Information: http://www.netcordia.com/contact/index.asp