SSD Advisory – Sophos XG Firewall Path Traversal

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerabilities Summary
The following advisory describe two (2) vulnerabilities, a Path Traversal and a Missing Function Level Access Control, in Sophos XG Firewall 16.05.4 MR-4.

Sophos XG Firewall provides “unprecedented visibility into your network, users, and applications directly from the all-new control center. You also get rich on-box reporting and the option to add Sophos iView for centralized reporting across multiple firewalls”.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
The vendor has released patches to address this vulnerability:
“The patches were released as part of SFOS 16.05.5 MR5:
https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-16-05-5-mr5-released

Our internal bug number was NC-18958, mentioned in the changelog”

Continue reading SSD Advisory – Sophos XG Firewall Path Traversal

SSD Advisory – HPE OpenCall Media Platform (OCMP) Multiple Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerabilities Summary
The following advisory describes Reflected Cross-Site Scripting (XSS) vulnerabilities and a Remote File Inclusion vulnerability that when combined can lead to arbitrary Javascript code execution, were found in HP OpenCall Media Platform (OCMP), version 4.3.2.

HPE OpenCall Media Platform (OCMP) is a suite of software and hardware applications which allow implementation of common telecom operator services such as voicemail, sms (short message service), prepaid, billing, hlr, etc. It implements industry standard telecom protocols and standards such as SS7, ISUP, TCAP, SIP, MRCP, RTSP, and VoiceXML.

HPE OpenCall Media Platform offers a highly scalable, easy-to-manage, carrier-grade media platform that adapts to future networks and applications. Through its strong support of open standards and protocols, new applications can be rapidly developed and deployed in a way that preserves investments and reduces capital expenditures (CAPEX) and operational expenditure (OPEX).

There are 3 different components that are vulnerable in HPE OpenCall Media Platform (OCMP), and for each component has the following vulnerabilities:

  • Application Content Manager
  1. Reflected Cross-Site Scripting (XSS) – /mcm/resources/


  • Platform Administration Tool
  1. Reflected Cross-Site Scripting (XSS) that leads to arbitrary Javascript code execution
  2. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE0 parameter
  3. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE1 parameter
  4. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE2 parameter
  5. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE3 parameter
  6. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME0 parameter
  7. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME1 parameter
  8. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME2 parameter
  9. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME3 parameter
  10. Reflected Cross-Site Scripting (XSS) – GetMapAction function
  11. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NUM parameter
  12. Reflected Cross-Site Scripting (XSS) – GetMapAction function, NAME parameter
  13. Reflected Cross-Site Scripting (XSS) – cdrdispatch function, next parameter
  14. Reflected Cross-Site Scripting (XSS) – cdrdispatch function, sessionType parameter


  • VoiceXML Administration Tool
  1. Reflected Cross-Site Scripting (XSS) – event.do function
  2. Reflected Cross-Site Scripting (XSS) – call.do function
  3. Remote File Inclusion – proxylink.do function


Credit
An independent security researcher Paolo Stagno from VoidSec has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor Responses
HPE has released patches to address this vulnerability, for more details see:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03686en_us

Continue reading SSD Advisory – HPE OpenCall Media Platform (OCMP) Multiple Vulnerabilities