0 Replies Latest reply: Sep 23, 2013 10:53 AM by ktodd RSS

Advisory - Cross-Site Scripting Vulnerability in SecurityCenter

ktodd

Tenable SecurityCenter 4.6 - 4.7 devform.php message Parameter Reflected XSS

Tenable Network Security (http://tenable.com/)

 

Disclosure Date: September 23, 2013

CVE: CVE-2013-5911

OSVDB: 97584

Product: SecurityCenter (http://tenable.com/products/securitycenter)

Versions affected: 4.6.x, 4.6.x.x, 4.7

Risk factor: Medium / CVSS Base Score 4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

Credit: Jamieson O'Reilly

 

 

Synopsis:

 

SecurityCenter contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the devform.php script, a development tool to interact with the API for   testing purposes, does not validate the 'message' parameter upon submission. This may allow an unauthenticated attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server, when the victim clicked on the URL.

 

Solution:

 

For existing installations, as an administrative user of the system, remove the 'devform.php' script from the server, or restrict access to the script.

# rm -f /opt/sc4/www/devform.php

 

 

Timeline:

Vendor contact: 2013-09-05

Vendor reply: 2013-09-05

Disclosure: 2013-09-23