Invensys Wonderware Information Server Multiple Security Vulnerabilities
BID:52851
Info
Invensys Wonderware Information Server Multiple Security Vulnerabilities
| Bugtraq ID: | 52851 |
| Class: | Unknown |
| CVE: |
CVE-2012-0228 CVE-2012-0226 CVE-2012-0225 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 02 2012 12:00AM |
| Updated: | Apr 02 2012 12:00AM |
| Credit: | Terry McCorkle and Billy Rios |
| Vulnerable: |
Invensys Wonderware Information Server 4.5 Portal Invensys Wonderware Information Server 4.5 Client Invensys Wonderware Information Server 4.0 SP1 |
| Not Vulnerable: | |
Discussion
Invensys Wonderware Information Server Multiple Security Vulnerabilities
Invensys Wonderware Information Server is prone to multiple security vulnerabilities, including:
1. A cross-site scripting vulnerability
2. A SQL-injection vulnerability
3. A security-bypass vulnerability
Attackers can leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of an affected site, steal cookie-based authentication credentials, perform unauthorized actions, obtain sensitive information, redirect a user to a potentially malicious site, cause a denial-of-service condition and compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Other attacks are also possible.
Invensys Wonderware Information Server is prone to multiple security vulnerabilities, including:
1. A cross-site scripting vulnerability
2. A SQL-injection vulnerability
3. A security-bypass vulnerability
Attackers can leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of an affected site, steal cookie-based authentication credentials, perform unauthorized actions, obtain sensitive information, redirect a user to a potentially malicious site, cause a denial-of-service condition and compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Other attacks are also possible.
Exploit / POC
Invensys Wonderware Information Server Multiple Security Vulnerabilities
Attackers can exploit these issues using a browser. To exploit a cross-site scripting vulnerability, an attacker must entice an unsuspecting victim into following a URI.
Attackers can exploit these issues using a browser. To exploit a cross-site scripting vulnerability, an attacker must entice an unsuspecting victim into following a URI.
Solution / Fix
Invensys Wonderware Information Server Multiple Security Vulnerabilities
Solution:
Updates are available. Please see the references for more information.
Solution:
Updates are available. Please see the references for more information.
References
Invensys Wonderware Information Server Multiple Security Vulnerabilities
References:
References:
- Wonderware Information Server Homepage (Invensys )
- ICSA-12-062-01�??INVENSYS WONDERWARE INFORMATION SERVER MULTIPLE VULNERABILITIES (Terry McCorkle)