[NEWS] VMware ESX Server XSS
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 7 Jun 2006 10:29:24 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
VMware ESX Server XSS
------------------------------------------------------------------------
SUMMARY
" <http://www.vmware.com/products/vi/esx/> ESX Server abstracts processor,
memory, storage and networking resources into multiple virtual machines,
giving you greater hardware utilization and flexibility."
Improper user filtering allows attackers to execute XSS attacks on VMware
ESX Server.
DETAILS
Vulnerable Systems:
* VMware ESX version 2.5.2 patch 1 and prior
* VMware ESX version 2.1.2 patch 5 and prior
* VMware ESX prior to 2.0.1 patch 5 and prior
Immune Systems:
* VMware ESX 2.5.2 upgrade patch 2
* VMware ESX 2.1.2 upgrade patch 6
* VMware ESX 2.0.1 upgrade patch 6
The VMware ESX Server product provides a web application to perform
management of the system. One of the functions of this application is to
allow administrative users to view log files, such as syslog, through a
browser. No encoding of syslog data is performed to ensure that HTML
meta-characters are not interpreted by the browser. This allows an
attacker to inject HTML content, including JavaScript, into the syslog
file where it would be rendered or executed when viewed through the
Management Interface. Since the raw syslog data is displayed between <div>
tags, it is necessary to close the tag for a clean injection. Two
injection methods were detected:
1. An attacker could simply attempt to log in to the Management
Interface with a username that contains the injection script, such as:
</div><script>alert('XSS')</script>
2. An attacker could attempt to log in to the ftp server with a username
containing a similar injection string.
It should be noted that the ftp server is not enabled by default, however,
the Management Interface is.
This flaw could be used to conduct any number of Cross Site Scripting
attacks, such as Session Hijacking, Cross Site Request Forgery or apparent
falsification of the syslog data.
The risk of this vulnerability is increased due to the fact that only
administrative users have permission to view the syslog files through the
Management Interface. Should a Session Hijacking attack be successful, it
would therefore likely yield administrative access.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3619>
CVE-2005-3619
Disclosure Timeline:
Discovered: 11.11.05 (Stephen de Vries)
Vendor notified via client: 15.11.05
Vendor notified directly: 19.05.06
Document released: 01.06.06
ADDITIONAL INFORMATION
The information has been provided by <mailto:advisories@xxxxxxxxxxxx>
Corsaire Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [EXPL] Claroline Remote Code Execution (Exploit)
- Next by Date: [EXPL] Linux Kernel NetFilter DoS (Exploit)
- Previous by thread: [EXPL] Claroline Remote Code Execution (Exploit)
- Next by thread: [EXPL] Linux Kernel NetFilter DoS (Exploit)
- Index(es):
Relevant Pages
|
