CVE-2019-11604 Quest KACE Systems Management Appliance

CVE-2019-11604 Quest KACE Systems Management Appliance <= 9.0 kbot_service_notsoap.php METHOD Reflected Cross-Site Scripting

1. ADVISORY INFORMATION
=======================
Product:        Quest KACE Systems Management Appliance
Vendor URL:     www.quest.com
Type:           Cross-Site Scripting [CWE-79]
Date found:     2018-09-09
Date published: 2019-05-19
CVSSv3 Score:   4.7 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)
CVE:            CVE-2019-11604

2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.

3. VERSIONS AFFECTED
====================
Quest KACE Systems Management Appliance 9.0 and below

4. INTRODUCTION
===============
The KACE Systems Management Appliance (SMA) helps you accomplish these goals
by automating complex administrative tasks and modernizing your unified endpoint
management approach. This makes it possible for you to inventory all hardware
and software, patch mission-critical applications and OS, reduce the risk of
breach, and assure software license compliance. So you're able to reduce systems
management complexity and safeguard your vulnerable endpoints.

(from the vendor's homepage)

5. VULNERABILITY DETAILS
========================
The script "/service/kbot_service_notsoap.php" is vulnerable to an unauthenticated
reflected Cross-Site Scripting vulnerability when user-supplied input to the
HTTP GET parameter "METHOD" is processed by the web application. Since the
application does not properly validate and sanitize this parameter, it is
possible to place arbitrary script code onto the same page.

The following Proof-of-Concept triggers this vulnerability:
https://127.0.0.1/service/kbot_service_notsoap.php?METHOD=&lt;script>alert(document.domain)</script>

6. RISK
=======
To successfully exploit this vulnerability an unauthenticated or authenticated
user must be tricked into visiting an arbitrary website.

The vulnerability can be used to temporarily embed arbitrary script code into the
context of the appliance web interface, which offers a wide range of possible
attacks such as redirecting the user to a malicious page, spoofing content on the
page or attacking the browser and its plugins. Since all session-relevant cookies
are protected by HTTPOnly, it is not possible to hijack sessions.

7. SOLUTION
===========
Update to Quest KACE Systems Management Appliance 9.1

8. REPORT TIMELINE
==================
2018-09-09: Discovery of the vulnerability
2019-02-28: Tried to notify vendor via their vulnerability report form
            but unfortunately the WAF protecting the form blocked the
            Proof-of-Concept payload
2019-02-28: Sent another notification without any payloads
2019-02-28: Vendor response
2019-03-01: Sent the exploit payload in a separate mail
2019-03-01: Vendor acknowledges the issue (tracked as K1-20409) which will
            be fixed in the 9.1 release (released on 2019/04/15)
2019-03-01: Vendor asks to delay the disclosure to make sure all customers
            had time to upgrade
2019-03-13: Requested disclosure extension granted
2019-04-30: CVE requested from MITRE
2019-04-30: MITRE assigns CVE-2019-11604
2019-05-19: Public disclosure

CVE-2019-11604 Quest KACE Systems Management Appliance <= 9.0 XSS的更多相关文章

  1. 2019年第一天——使用Visual Studio 2019 Preview创建第一个ASP.Net Core3.0的App

    一.前言: 全文翻译自:https://www.talkingdotnet.com/creating-first-asp-net-core-3-0-app-visual-studio-2019/ Vi ...

  2. CVE 2019 0708 安装重启之后 可能造成 手动IP地址丢失.

    1. 最近两天发现 更新了微软的CVE 2019-0708的补丁之后 之前设置的手动ip地址会变成 自动获取, 造成ip地址丢失.. 我昨天遇到两个, 今天同事又遇到一个.微软做补丁也不走心啊..

  3. nyoj 72-Financial Management (求和 ÷ 12.0)

    72-Financial Management 内存限制:64MB 时间限制:3000ms 特判: No 通过数:7 提交数:12 难度:1 题目描述: Larry graduated this ye ...

  4. 2019 vs 如何升级到.net core 3.0 版本

    写在前面 看到微软的官网都已经更新.NET CORE 3.0的版本了.发现自己的还是.NET CORE 2.1X 的版本. 那应该如果升级到.NET CORE 3.0 的版本呢? 思考 [1]首先,我 ...

  5. windows常用端口对应表

    端口概念 在网络技术中,端口(Port)大致有两种意思:一是物理意义上的端口,比如,ADSL Modem.集线器.交换机.路由器用于连接其他网络设备的接口,如RJ-45端口.SC端口等等.二是逻辑意义 ...

  6. port与大全portClose方法

    在网络技术,port(Port)通常,有两种含义:首先,物理意义port,例,ADSL Modem.枢纽.开关.路由器连接其他网络设备的接口,如RJ-45port.SCport等等.第二个是逻辑意义p ...

  7. port大全及port关闭方法

    在网络技术中,port(Port)大致有两种意思:一是物理意义上的port,比方,ADSL Modem.集线器.交换机.路由器用于连接其它网络设备的接口,如RJ-45port.SCport等等.二是逻 ...

  8. Windows操作系统上各种服务使用的端口号, 以及它们使用的协议的列表

    Windows操作系统上各种服务使用的端口号, 以及它们使用的协议的列表 列表如下 Port Protocol Network Service System Service System Servic ...

  9. Windows 端口和所提供的服务

    一 .端口大全 端口:0 服务:Reserved 说明:通常用于分析操作系统.这一方法能够工作是因为在一些系统中“0”是无效端口,当你试图使用通常的闭合端口连接它时将产生不同的结果.一种典型的扫描,使 ...

随机推荐

  1. std::shared_mutex和std::mutex的性能对比(banchmark)

    原文作者:@玄冬Wong 转载请注明原文出处:http://aigo.iteye.com/blog/2296462 key world: std::shared_mutex.std::mutex.pe ...

  2. linux中导入sql文件

    在linux中导入sql文件的方法分享(使用命令行转移mysql数据库) 因导出sql文件 在你原来的网站服务商处利用phpmyadmin导出数据库为sql文件,这个步骤大家都会,不赘述. 上传sql ...

  3. idea中copyright使用

    1,在idea中找到settings->Editor->copyright->copyright profiles,然后点击+,输入名字,在copyright text中输入模板.然 ...

  4. 抓取二维数组某值出来,到一维数组---array_column

    /*** * '抓取二维数组某值出来,到一维数组' * @param $arr * @param $item * @return array */ function get_arr_item_val( ...

  5. k8s版jenkins--master/slave模式实现CI/CD---带solo开源博客项目--带maven、djk、git工具

    k8s环境: 192.168.0.91 master 192.168.0.92 node 192.168.0.96 gitlab 192.168.0.98 harbor k8s集群安装请参照:http ...

  6. docker里安装kali linux

    docker里安装kali linux 官网镜像 docker search kali docker pull kalilinux/kali-linux-docker vi /etc/apt/sour ...

  7. 【嵌入式硬件Esp32】ESP32使用visual studio cod界面

     如何下载安装IDE Visual Studio Code大家可以在微软的官网上根据自身的开发平台下载,至于安装方法就是无脑式地按Next就好了,下载地址如下所示: Visual Studio Cod ...

  8. python实践项目二:列表转字符串

    将列表各元素转换为字符串并以规定形式返回. 假定有下面这样的列表:spam = ['apples', 'bananas', 'tofu', 'cats'],将其转换成字符串:'apples, bana ...

  9. Machine Learning Glossary

    http://people.seas.harvard.edu/~mgelbart/glossary.html more at:http://www.metacademy.org/list

  10. Google大数据三大论文

    简介:https://blog.csdn.net/w1573007/article/details/52966742 论文中英文版下载http://pan.baidu.com/s/1slUy4sl   ...