XSS vulnerability in 'Monitor_Bandwidth' - PRTG Traffic Grapher
1. General information
PRTG Traffic Grapher is a network monitoring solution, which helps
manage and classify bandwidth usage of a network by providing accurate
results about network traffic and usage trends in graphs and tables. The
software also supports SNMP (Simple Network Management Protocol). PRTG
Traffic Grapher is available at http://www.paessler.com.
In April 2009, Bkis discovered a vulnerability in PRTG Traffic Grapher.
A hacker might exploit this hole to insert malicious codes into links to
be executed in the user=92 browsers, resulting in the loss of cookies,
session, etc.
Bkis has sent the warning to PRTG Traffic Grapher developer and the
vulnerability has now been fixed.
Details : http://blog.bkis.com/?p=704
Bkis Advisory : Bkis-09-2009.
Initial vendor notification : 11/05/2009
Release Date : 28/05/2009
Update Date : 28/05/2009
Discovered by : Truong Truong Quan, Bkis.
Attack Type : XSS.
Security Rating : High.
Impact : Code Execution.
Affected Software : PRTG Traffic Grapher V6.2.2.977 and earlier versions.
2. Technical details
The identified XSS vulnerability resides in the Monitor_Bandwidth
function of the software. Specifically, the software fails to adequately
validate the input parameters.
To exploit the hole, hackers will trick users into accessing the links
containing malicious scripts. If users have already logged in PRTG
Traffic Grapher as administrators, the hackers will be able to gain the
control over the work sessions and then the complete control over PRTG
Traffice Grapher.
3. Solution
Bkis recommends that organizations, businesses using PRTG Traffic
Grapher immediately get the latest version of the software at
http://www.paessler.com/prtg6/download
Bkis