Vulnerability Note VU#763795

Netsweeper Internet Filter WebAdmin Portal multiple vulnerabilities

Original Release date: 09 Jul 2012 | Last revised: 20 Aug 2012

Overview

Netsweeper Internet Filter WebAdmin Portal contains XSS, CSRF and SQLi vulnerabilities.

Description

Netsweeper Internet Filter's WebAdmin Portal contains the following XSS, CSRF and SQLi vulnerabilities.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVE-2012-2446:
(1) The Netsweeper Internet Filter WebAdmin Portal is vulnerable to reflective XSS using the HTTP POST method to the /webadmin/tools/local_lookup.php?action=lookup function using the group parameter. The reflective XSS reported allows for information disclosure and arbitrary JavaScript code execution that can lead to the compromise of a user's account, machine, or other sensitive information.

CWE-352: Cross-Site Request Forgery (CSRF) CVE-2012-2447:
(2) The Netsweeper Internet Filter WebAdmin Portal is vulnerable to CSRF using the HTTP POST method in the /webadmin/accountmgr/adminupdate.php?act=add function. The CSRF reported allows for a breach in the content filtering system resulting in complete compromise of an organizations Internet content filter and control over users internet traffic.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CVE-2012-3859
(3) The Netsweeper Internet Filter WebAdmin Portal is vulnerable to SQL injection, in the sortorder and sortitem variables. An example of a vulnerable url is http://SERVER_Hostname/webadmin/reporter/view_details.php?sortitem=report_date&sortorder=asc&type=demand&id=1441.

Impact

An attacker with access to the Netsweeper Internet Filter WebAdmin Portal web interface can conduct a cross-site scripting, cross-site request forgery, or sql injection attack, which could be used to result in information leakage, privilege escalation, and/or denial of service.

Solution

Update

The vendor has stated that these vulnerabilities have been addressed in Netsweeper version 3.0.6. Users are advised to upgrade to version 3.0.6 or higher.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS, CSRF, or SQLi attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the Netsweeper Internet Filter WebAdmin Portal web interface using stolen credentials from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
netsweeperAffected04 Jun 201228 Jun 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 6.3 AV:N/AC:M/Au:S/C:C/I:N/A:N
Temporal 4.8 E:POC/RL:W/RC:UC
Environmental 1.3 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Jacob Holcomb of Leland Public Schools for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.