Some vulnerabilities and weaknesses have been discovered in WhatsUp Professional, which can be exploited by malicious people to gain knowledge of certain information, conduct cross-site scripting attacks, and bypass certain security restrictions.

1) Input passed to NmConsole/Navigation.asp and to the "sHostname" parameter in NmConsole/ToolResults.asp is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site.

Example:
http://[host]:8022/NmConsole/Navigation.asp?">[code]

2) Input passed to NmConsole/Tools.asp and NmConsole/DeviceSelection.asp is also not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a logged in user's browser session in context of a vulnerable site.

3) It's possible to disclose monitored devices without being logged in by passing arbitrary values to the "nDeviceGroupID" parameter in "NmConsole/utility/RenderMap.asp".

Example:
http://[host]:8022/NmConsole/utility/RenderMap.asp?nDeviceGroupID=2

4) Input passed to the "sRedirectUrl" and "sCancelURL" in NmConsole/DeviceSelection.asp is not properly verified, which makes it possible to redirect a user to an arbitrary web site.

It is also possible to disclose the source code of the ASP pages by appending a period to the end of the file extension.

5) Different error messages are returned during login to "NmConsole/Login.asp" depending on whether the supplied username or password is incorrect.

6) It is possible to disclose path information in 404 error messages returned by the service.

Example:
http://[host]:8022/NmConsole

7) An error in the authentication process can be exploited to access the administration section by setting the "User-Agent" HTTP header to "Ipswitch/1.0" and the "User-Application" HTTP header to "NmConsole" when accessing NmConsole/Default.asp.

NOTE: This is only remotely exploitable if the "Enable web server on port [port]" setting is enabled (not default setting).

The vulnerabilities and weaknesses have been confirmed in WhatsUp Professional 2006.

Solution
Restrict access to port 8022/tcp and disable the "Enable web server on port [port]" setting if enabled, and don't visit other web sites while logged in.

Provided and/or discovered by
1, 3, 4) David Maciejak
2, 5, 6) Reported by an anonymous person.
7) Kenneth F. Belva

Changelog
Further details available in Customer Area

Original Advisory
7) http://lists.grok.org.uk/pipermail/full-disclosure/2006-May/046095.html

Deep Links
Links available in Customer Area