Infoblox Cross-site scripting vulnerabilities

Subject: Infoblox Cross-site scripting vulnerabilities

Exploit Title: Infoblox Cross-site scripting vulnerabilities
Product: Infoblox Network Automation
Vulnerable Versions: 7.0.1 and all previous versions 
Tested Version: 6.9.2
Advisory Publication: 06/09/2016
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: NONE
Credit: Alex Haynes

Advisory Details:

(1) Vendor & Product Description


Product & Version:
Infoblox Network Automation v7.0.1

Vendor URL & Download:

Product Description:
"Infoblox also offers a complementary, powerful network automation platform which enables discovery, switch port management, network change configuration and compliance management for multi-vendor network devices. Automation cuts down administrator workload and reduces risk of network outages due to improper configurations or changes."

(2) Vulnerability Details:
There are many cross-site scripting vulnerabilities present in netmri. Many parameters are vulnerable from the login page itself to other pages once the user is authenticated. Proof of concept examples below:
\u201c_formstack\u201d variable vulnerable to XSS.
\u201cskipjackPassword\u201d variable and \u201cskipjackUsername\u201d variable are also vulnerable in the same URL.
\u201cDefaultTitle\u201d parameter is vulnerable in the URL below (this page is from after authentication):
The \u201cdefaultAccordion\u201d, \u201cdefaultMenu\u201d and \u201cdefaultPage\u201d parameters are also vulnerable.
In the help Section, the \u201chelpId\u201d parameter is vulnerable:

(3) Advisory Timeline:
25/01/2016 - First Contact informing vendor of vulnerabilities. No response.
01/02/2016 - Follow up e-mail to inform them of vulnerabilities. Response requesting further information.
01/02/2016 - Information on vulnerabilities sent to vendor. No response.
08/02/2016 - follow up e-mail requesting update. Vendor responds asking us to open a support ticket.
12/02/2016 - Infoblox products out of support so cannot raise ticket. write to vendor to explain situation. No response.
24/02/2016 - Follow up with vendor on vulnerabilities requesting an update.
10/03/2016 - Final follow up to vendor requesting an update. Vendor responds and opens support ticket for vulnerabilities, mentioning they will look into vulnerabilities.
14/03/2016 - vendor responds saying they are able to reproduce vulnerabilities
17/03/2016 - Vendor responds saying some of the vulnerabilities are already fixed in version 7.0.4 but cannot confirm which ones.
05/04/2016 - Request update from vendor on status of vulnerabilities.
12/04/2016 - Vendor responds saying CSRF already fixed in 7.0.1, XSS and HTTP Splitting to be fixed in upcoming 7.1.1 - expected release in summer.
30/06/2016 - Patch 7.1.1 released
06/09/2016 - Public disclosure

Upgrade to Version 7.1.1

(5) Credits:
Discovered by Alex Haynes

Copyright © 1995-2018 All rights reserved.