CVE: |
|
CVE-2010-0155 |
|
| Vendor: |
|
IBM |
|
| Product: |
|
Proventia
Network Mail Security System
|
|
| Vulnerabilities: |
|
CRLF Injection
|
|
| Risk: |
|
Medium |
|
| Attack
Vector: |
|
From
Remote |
|
Authentication:
Reference:
|
|
Required
N/A
|
|
|
|
|
|
Description
Web-based
Local Management Interface of IBM
Proventia Network Mail Security System appliance (firmware 1.6)
is
vulnerable to a CRLF Injection vulnerability. When
exploited by an authenticated attacker, such vulnerability could lead to
compromising the
security of the appliance,
allowing injection
of custom HTTP cookies, forcing external redirects, potential HTTP Response
Splitting attacks, etc.
The affected resource is not part of the IBM PNMSS firmware
2.5.
By manipulating the
javaVersion parameter of load.php resource, an authenticated attacker can
perform the attacks above.
The following exploit allows
injecting custom cookies used by the client browser during a valid
HTTP session:
url_placeholder/load.php?browVerOK=true&browVerPerfect=false&javaVersion=any%0D%0ASet-cookie:
%20MyOwnCookie=SOME_DATA_HERE&javaVendor=Sun%20Microsystems%20Inc.&javaEnabled=true&
welcome=true&detectionFlag=1&popupBlocked=no
The following exploit
allows forcing external browser redirects: url_placeholder/load.php?browVerOK=true&browVerPerfect=false&javaVersion=any%0D%0ALocation:
%20http://www.google.com%0D%0A&javaVendor=Sun%20Microsystems%20Inc.&javaEnabled=true&
welcome=true&detectionFlag=1&popupBlocked=no
Affected Versions
IBM Proventia
Network Mail Security System - virtual appliance (firmware 1.6)
Mitigation
Vendor recommends upgrading
to PNMSS firmware 2.5 or
later.
Alternatively,
please contact IBM for
technical support.
Disclosure Timeline
2009,
November 07: Vulnerabilities discovered and documented
2009,
November 08: Notification sent to IBM
2009,
November 09: IBM acknowledges receiving the report
2010,
September 12: MVSA-10-009 advisory published.
MVSA-10-009
Dr.
Marian
Ventuneac
|
|