<<< Date Index >>>     <<< Thread Index >>>

[Bkis-09-2009] XSS vulnerability in 'Monitor_Bandwidth' - PRTG Traffic Grapher



XSS vulnerability in 'Monitor_Bandwidth' - PRTG Traffic Grapher <http://blog.bkis.com/?p=704>

1. General information

PRTG Traffic Grapher is a network monitoring solution, which helps manage and classify bandwidth usage of a network by providing accurate results about network traffic and usage trends in graphs and tables. The software also supports SNMP (Simple Network Management Protocol). PRTG Traffic Grapher is available at http://www.paessler.com.

In April 2009, Bkis discovered a vulnerability in PRTG Traffic Grapher. A hacker might exploit this hole to insert malicious codes into links to be executed in the user’ browsers, resulting in the loss of cookies, session, etc.

Bkis has sent the warning to PRTG Traffic Grapher developer and the vulnerability has now been fixed.

Details : http://blog.bkis.com/?p=704
Bkis Advisory : Bkis-09-2009.
Initial vendor notification : 11/05/2009
Release Date : 28/05/2009
Update Date : 28/05/2009
Discovered by : Truong Truong Quan, Bkis.
Attack Type : XSS.
Security Rating : High.
Impact : Code Execution.
Affected Software : PRTG Traffic Grapher V6.2.2.977 and earlier versions.

2. Technical details

The identified XSS vulnerability resides in the Monitor_Bandwidth function of the software. Specifically, the software fails to adequately validate the input parameters.

To exploit the hole, hackers will trick users into accessing the links containing malicious scripts. If users have already logged in PRTG Traffic Grapher as administrators, the hackers will be able to gain the control over the work sessions and then the complete control over PRTG Traffice Grapher.

3. Solution
Bkis recommends that organizations, businesses using PRTG Traffic Grapher immediately get the latest version of the software at http://www.paessler.com/prtg6/download

Bkis