"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts. - Gene Spafford"
HIO-2009-0630 AIRT Multiple Vulnerabilities PDF Print E-mail

AIRT, the Application for Incident Response Teams, contains flaws that allow cross site request forgery and cross site scripting.

 

1) XSS: Input passed to the "status" parameter is not properly verified before being submitted to incident.php. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

 

2) CSRF: The application allows users to perform certain actions via HTTP requests without performing any validation checks to verify the requests. This can be exploited to e.g. add users via users.php when a logged in user views a malicious web page.

 

The vulnerabilities are confirmed in version 20090424.1 and earlier. Vendor has released version 20090726.1 to address this issue along with other updates. 

 

References:

CVE-2009-pending

BID:

FrSIRT: N/A

Nessus:N/A

OSVDB: 56831, 56832

SA: 

XF: 

Related: 

Vendor Solution: Upgrade to 20090726.1


 
< Prev   Next >