|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
Trend Micro InterScan Web Security: five vulnerabilities
Synthesis of the vulnerability
Five vulnerabilities of Trend Micro InterScan Web Security Virtual Appliance can be used by an attacker to read/alter information or to execute code.
Vulnerable products: InterScan Web Security Suite.
Severity of this weakness: 3/4.
Consequences of a hack: administrator access/rights, user access/rights, data reading, data creation/edition.
Hacker's origin: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 23/06/2010.
Revision date: 02/07/2010.
Références of this bulletin: BID-41039, BID-41072, BID-41296, CYBSEC Advisory#2010-0604, CYBSEC Advisory#2010-0605, CYBSEC Advisory#2010-0606, CYBSEC Advisory#2010-0701, VIGILANCE-VUL-9726.
Description of the vulnerability
Five vulnerabilities were announced in Trend Micro InterScan Web Security Virtual Appliance.
An attacker can use a Cross Site Request Forgery in order to alter rules or to add an administrator. [severity:3/4; BID-41039]
A local attacker can use uihelper in order to execute commands as root. [severity:2/4; BID-41072, CYBSEC Advisory#2010-0604]
An attacker can use com.trend.iwss.gui.servlet.XMLRPCcert to upload a file on the server. [severity:3/4; BID-41072, CYBSEC Advisory#2010-0605]
An attacker can use com.trend.iwss.gui.servlet.exportreport to read a file. [severity:3/4; BID-41072, CYBSEC Advisory#2010-0606]
An attacker can use "desc", "metrics__notify_body" or "metrics__notify_subject" parameters, in order to generate a Cross Site Scripting. [severity:2/4; CYBSEC Advisory#2010-0701]
Full Vigil@nce bulletin... (Free trial)
Computer vulnerabilities tracking service
Vigil@nce provides a software vulnerabilities alert. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce vulnerability database contains several thousand vulnerabilities.