83179 : IBM System Storage Multiple Product SoftwareRegistration.do updateRegn Parameter XSS
Printer | http://osvdb.org/83179 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
5	458	11 months ago	4 months ago	13 times	100%

Timeline

Disclosure Date
2012-06-15

Time to Patch	Time to Exploit	Time to Vendor Response
57 days	109 days	7 days

Description

Multiple IBM System Storage products contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'updateRegn' parameter upon submission to the SoftwareRegistration.do script. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Upgrade
Exploit: Exploit Public
Disclosure: Vendor Verified, Coordinated Disclosure
OSVDB: Web Related

Solution

Upgrade to version 10.83.xx.18 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

IBM Corporation	System Storage DS Storage Manager	10.60.xx.xx
	System Storage DS Storage Manager	10.77.xx.xx
	IBM System Storage DCS3700	1818
	IBM System Storage DS3300	1726
	IBM System Storage DS5020	1814-20a
	System Storage DS3200	1726
	System Storage DS3400	1726
	System Storage DS3512	1746
	System Storage DS3950	1814
	System Storage DS4200	1814
	System Storage DS4300	1722
	System Storage DS4500	1742
	System Storage DS4800	1815
	System Storage DS5100	1818
	System Storage DS5300	1818
	TotalStorage DS4100	1724
	TotalStorage DS4400 Midrange Disk System	1814

References

Security Tracker: 1027194
Exploit Database: 19321
CVE ID: 2012-2172 (see also: NVD)
Secunia Advisory ID: 49582
Bugtraq ID: 54112
ISS X-Force ID: 75239
Related OSVDB ID: 83177
Other Advisory URL: http://cxsecurity.com/issue/WLB-2012060257
http://www.securelist.com/en/advisories/49582
http://www.zeroscience.mk/codes/ibmssdssmp_sqlixss.txt
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5094.php
Packet Storm: http://packetstormsecurity.org/files/114008
Vendor Specific Advisory URL: http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5090850&brandind=5000028
https://www-304.ibm.com/connections/blogs/PSIRT/entry/secbulletin_stg-storage_cve-2012-2171_cve-2012-2172?lang=en_us

Credit

Gjoko Krstic - Zero Science Lab

CVSSv2 Score

CVSSv2 Base Score = 4.3
Source: nvd.nist.gov | Generated: 2012-06-22 | Disagree?

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Timeline

Description

Classification

Solution

Products

IBM Corporation

System Storage DS Storage Manager

IBM System Storage DCS3700

IBM System Storage DS3300

IBM System Storage DS5020

System Storage DS3200

System Storage DS3400

System Storage DS3512

System Storage DS3950

System Storage DS4200

System Storage DS4300

System Storage DS4500

System Storage DS4800

System Storage DS5100

System Storage DS5300

TotalStorage DS4100

TotalStorage DS4400 Midrange Disk System

References

Credit

CVSSv2 Score

Comments