search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Netsweeper Internet Filter WebAdmin Portal multiple vulnerabilities

Vulnerability Note VU#763795

Original Release Date: 2012-07-09 | Last Revised: 2014-07-29

Overview

Netsweeper Internet Filter WebAdmin Portal contains XSS, CSRF and SQLi vulnerabilities.

Description

Netsweeper Internet Filter's WebAdmin Portal contains the following XSS, CSRF and SQLi vulnerabilities.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVE-2012-2446:
(1) The Netsweeper Internet Filter WebAdmin Portal is vulnerable to reflective XSS using the HTTP POST method to the /webadmin/tools/local_lookup.php?action=lookup function using the group parameter. The reflective XSS reported allows for information disclosure and arbitrary JavaScript code execution that can lead to the compromise of a user's account, machine, or other sensitive information.

CWE-352: Cross-Site Request Forgery (CSRF) CVE-2012-2447:
(2) The Netsweeper Internet Filter WebAdmin Portal is vulnerable to CSRF using the HTTP POST method in the /webadmin/accountmgr/adminupdate.php?act=add function. The CSRF reported allows for a breach in the content filtering system resulting in complete compromise of an organizations Internet content filter and control over users internet traffic.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CVE-2012-3859
(3) The Netsweeper Internet Filter WebAdmin Portal is vulnerable to SQL injection, in the sortorder and sortitem variables. An example of a vulnerable url is http://SERVER_Hostname/webadmin/reporter/view_details.php?sortitem=report_date&sortorder=asc&type=demand&id=1441.

Impact

An attacker with access to the Netsweeper Internet Filter WebAdmin Portal web interface can conduct a cross-site scripting, cross-site request forgery, or sql injection attack, which could be used to result in information leakage, privilege escalation, and/or denial of service.

Solution

Update

The vendor has stated that these vulnerabilities have been addressed in Netsweeper version 3.0.6. Users are advised to upgrade to version 3.0.6 or higher.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS, CSRF, or SQLi attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the Netsweeper Internet Filter WebAdmin Portal web interface using stolen credentials from a blocked network location.

Vendor Information

763795
 
Expand all

netsweeper Affected

Notified:  June 04, 2012 Updated: June 28, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal 5.3 E:POC/RL:OF/RC:C
Environmental 1.3 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Jacob Holcomb of Leland Public Schools for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2012-2446, CVE-2012-2447, CVE-2012-3859
Date Public: 2012-07-09
Date First Published: 2012-07-09
Date Last Updated: 2014-07-29 21:05 UTC
Document Revision: 27

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis