{"vuid":"VU#166739","idnumber":"166739","name":"APC Network Management Card web interface vulnerable to cross-site scripting and cross-site request forgery","keywords":["XSRF","XSS","Cross-site Request Forgery","Cross-site Scripting","AP9617/8/9","AP9630/31"],"overview":"The web management interface for the APC Network Monitoring Card (NMC) used in various APC devices contains cross-site scripting (XSS) and cross-site request forgery (CSRF/XSRF) vulnerabilities. By convincing a victim to load a specially crafted URL while authenticated to an NMC, an attacker could obtain credentials or perform certain actions as the victim, including turning off the NMC-based device and any systems attached to it.","clean_desc":"Some APC uninterruptible power supplies (UPS) support remote network management using several types of Network Monitoring Card (NMC). The NMC web management interface does not adequately filter user-supplied data before that data is included in dynamically generated web pages, creating cross-site scripting (XSS) vulnerabilities. One XSS vulnerability occurs in the /Forms/login1?login_username field (CVE-2009-4406). There may be other XSS vulnerabilities in the NMC web management interface (CVE-2009-1798). The web interface also fails to adequately authenticate some requests, creating cross-site request forgery (CSRF/XSRF) vulnerabilities (CVE-2009-1797).","impact":"By convincing a victim to load a specially crafted URL while authenticated to an NMC, an attacker could obtain user credentials or perform certain actions as that user. It is possible to exploit the XSS vulnerabilities to obtain cookies and other page content, so an attacker could obtain administrative credentials. If the attacker were able to access the NMC directly, the attacker would have complete control and could reconfigure the UPS or turn it off, thereby turning off any systems connected to the UPS. Exploiting the CSRF vulnerabilities could allow an attacker to take certain actions via the web interface, including turning off the UPS and any connected systems.","resolution":"Update firmware Update NMC firmware as specified by APC. Release notes indicate that these vulnerabilities are addressed in firmware version 3.7.2 for certain NMCs. APC has indicated that the vulnerabilities are also addressed in firmware version 5.1.1.","workarounds":"Disable web interface Disabling the web management interface will prevent exploitation of these vulnerabilities. Restrict access As a general good security practice, only allow connections from trusted hosts and networks. Consider setting up management networks as separate and dedicated channels. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing an NMC using stolen credentials from a blocked network location.","sysaffected":"","thanks":"These vulnerabilities were researched and reported by Russ M\ncRee. Jamal Pecou also reported CVE-2009-4406.","author":"This document was written by Art Manion.","public":["http://holisticinfosec.org/content/view/111/45/","http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887&p_created=1261587018&p_topview=1","http://www.securityfocus.com/archive/1/508468/30/60/threaded","http://www.securityfocus.com/archive/1/508468/100/0/threaded","http://www.securityfocus.com/bid/37338/info","http://www.apcmedia.com/salestools/PMAR-82BMH5_R0_EN.zip"],"cveids":["CVE-2009-1797","CVE-2009-1798","CVE-2009-4406"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2009-05-28T20:28:16Z","publicdate":"2009-12-14T00:00:00Z","datefirstpublished":"2010-02-25T02:42:16Z","dateupdated":"2010-04-29T16:25:44Z","revision":27,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"2","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":0.0,"vulnote":null}