CVE-2019-11604 Quest KACE Systems Management Appliance

CVE-2019-11604 Quest KACE Systems Management Appliance <= 9.0 kbot_service_notsoap.php METHOD Reflected Cross-Site Scripting

1. ADVISORY INFORMATION
=======================
Product:        Quest KACE Systems Management Appliance
Vendor URL:     www.quest.com
Type:           Cross-Site Scripting [CWE-79]
Date found:     2018-09-09
Date published: 2019-05-19
CVSSv3 Score:   4.7 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)
CVE:            CVE-2019-11604

2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.

3. VERSIONS AFFECTED
====================
Quest KACE Systems Management Appliance 9.0 and below

4. INTRODUCTION
===============
The KACE Systems Management Appliance (SMA) helps you accomplish these goals
by automating complex administrative tasks and modernizing your unified endpoint
management approach. This makes it possible for you to inventory all hardware
and software, patch mission-critical applications and OS, reduce the risk of
breach, and assure software license compliance. So you're able to reduce systems
management complexity and safeguard your vulnerable endpoints.

(from the vendor's homepage)

5. VULNERABILITY DETAILS
========================
The script "/service/kbot_service_notsoap.php" is vulnerable to an unauthenticated
reflected Cross-Site Scripting vulnerability when user-supplied input to the
HTTP GET parameter "METHOD" is processed by the web application. Since the
application does not properly validate and sanitize this parameter, it is
possible to place arbitrary script code onto the same page.

The following Proof-of-Concept triggers this vulnerability:
https://127.0.0.1/service/kbot_service_notsoap.php?METHOD=&lt;script>alert(document.domain)</script>

6. RISK
=======
To successfully exploit this vulnerability an unauthenticated or authenticated
user must be tricked into visiting an arbitrary website.

The vulnerability can be used to temporarily embed arbitrary script code into the
context of the appliance web interface, which offers a wide range of possible
attacks such as redirecting the user to a malicious page, spoofing content on the
page or attacking the browser and its plugins. Since all session-relevant cookies
are protected by HTTPOnly, it is not possible to hijack sessions.

7. SOLUTION
===========
Update to Quest KACE Systems Management Appliance 9.1

8. REPORT TIMELINE
==================
2018-09-09: Discovery of the vulnerability
2019-02-28: Tried to notify vendor via their vulnerability report form
            but unfortunately the WAF protecting the form blocked the
            Proof-of-Concept payload
2019-02-28: Sent another notification without any payloads
2019-02-28: Vendor response
2019-03-01: Sent the exploit payload in a separate mail
2019-03-01: Vendor acknowledges the issue (tracked as K1-20409) which will
            be fixed in the 9.1 release (released on 2019/04/15)
2019-03-01: Vendor asks to delay the disclosure to make sure all customers
            had time to upgrade
2019-03-13: Requested disclosure extension granted
2019-04-30: CVE requested from MITRE
2019-04-30: MITRE assigns CVE-2019-11604
2019-05-19: Public disclosure

CVE-2019-11604 Quest KACE Systems Management Appliance <= 9.0 XSS的更多相关文章

  1. 2019年第一天——使用Visual Studio 2019 Preview创建第一个ASP.Net Core3.0的App

    一.前言: 全文翻译自:https://www.talkingdotnet.com/creating-first-asp-net-core-3-0-app-visual-studio-2019/ Vi ...

  2. CVE 2019 0708 安装重启之后 可能造成 手动IP地址丢失.

    1. 最近两天发现 更新了微软的CVE 2019-0708的补丁之后 之前设置的手动ip地址会变成 自动获取, 造成ip地址丢失.. 我昨天遇到两个, 今天同事又遇到一个.微软做补丁也不走心啊..

  3. nyoj 72-Financial Management (求和 ÷ 12.0)

    72-Financial Management 内存限制:64MB 时间限制:3000ms 特判: No 通过数:7 提交数:12 难度:1 题目描述: Larry graduated this ye ...

  4. 2019 vs 如何升级到.net core 3.0 版本

    写在前面 看到微软的官网都已经更新.NET CORE 3.0的版本了.发现自己的还是.NET CORE 2.1X 的版本. 那应该如果升级到.NET CORE 3.0 的版本呢? 思考 [1]首先,我 ...

  5. windows常用端口对应表

    端口概念 在网络技术中,端口(Port)大致有两种意思:一是物理意义上的端口,比如,ADSL Modem.集线器.交换机.路由器用于连接其他网络设备的接口,如RJ-45端口.SC端口等等.二是逻辑意义 ...

  6. port与大全portClose方法

    在网络技术,port(Port)通常,有两种含义:首先,物理意义port,例,ADSL Modem.枢纽.开关.路由器连接其他网络设备的接口,如RJ-45port.SCport等等.第二个是逻辑意义p ...

  7. port大全及port关闭方法

    在网络技术中,port(Port)大致有两种意思:一是物理意义上的port,比方,ADSL Modem.集线器.交换机.路由器用于连接其它网络设备的接口,如RJ-45port.SCport等等.二是逻 ...

  8. Windows操作系统上各种服务使用的端口号, 以及它们使用的协议的列表

    Windows操作系统上各种服务使用的端口号, 以及它们使用的协议的列表 列表如下 Port Protocol Network Service System Service System Servic ...

  9. Windows 端口和所提供的服务

    一 .端口大全 端口:0 服务:Reserved 说明:通常用于分析操作系统.这一方法能够工作是因为在一些系统中“0”是无效端口,当你试图使用通常的闭合端口连接它时将产生不同的结果.一种典型的扫描,使 ...

随机推荐

  1. Spring中好玩的注解和接口

    测试中: 一.unit中集中基本注解,是必须掌握的. @BeforeClass – 表示在类中的任意public static void方法执行之前执行 @AfterClass – 表示在类中的任意p ...

  2. 函数和宏实现打印的增强myprintf

    函数和宏实现打印的增强

  3. Centos7 手动编译 RabbitMQ ,并安装php amqp

    RabbitMQ是一个在AMQP基础上完成的,可复用的企业消息系统,底层基于Erlang语言. 一:centos7安装RabbitMQ 这玩意儿安装很扯淡,官方推荐rpm安装,rpm安装本身是最简单的 ...

  4. Linux系统调优——磁盘I/O(三)

    (1).查看I/O运行状态相关工具 1)查看文件系统块大小 对于ext4文件系统,查看文件系统块大小 [root@CentOS6 ~]# tune2fs -l /dev/sda1 | grep siz ...

  5. 改进初学者的PID-积分饱和

    最近看到了Brett Beauregard发表的有关PID的系列文章,感觉对于理解PID算法很有帮助,于是将系列文章翻译过来!在自我提高的过程中,也希望对同道中人有所帮助.作者Brett Beaure ...

  6. LODOP中table自动分页补线加border

    LODOP中可以用ADD_PRINT_TABLE.ADD_PRINT_HTM.ADD_PRINT_HTML.ADD_PRINT_TBURL等可以输出超文本的表格,超文有超过打印项高度或纸张高度自动分页 ...

  7. Flutter Bloc状态管理 简单上手

    我们都知道,Flutter中Widget的状态控制了UI的更新,比如最常见的StatefulWidget,通过调用setState({})方法来刷新控件.那么其他类型的控件,比如StatelessWi ...

  8. C++STL位标志、智能指针与异常处理

    参考<21天学通C++>第25章节,对STL位标志进行介绍.就是当需要不是像char int long 等整个字节数的数据表示形式,而是使用二进制位表示的时候,通常使用这里讲到的位标志.从 ...

  9. 微信小程序之页面传值并且根据产品类别(主从关系)的赋值操作

    <view class="title"> <view class="titleName">{{cname}}</view> ...

  10. samtools获取uniq reads

    参考地址: https://www.biostars.org/p/56246/ -q INT only include reads with mapping quality >= INT [0] ...