Vigil@nce: APC NMC, vulnerabilities of the web interface
January 2010 by Vigil@nce
An attacker can generate a Cross Site Scripting and a Cross Site
Request Forgery on APC Network Management Card products.
– Severity: 2/4
– Consequences: privileged access/rights, client access/rights
– Provenance: document
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 29/12/2009
IMPACTED PRODUCTS
– APC PowerChute Network Shutdown
DESCRIPTION OF THE VULNERABILITY
The APC PowerChute Network Shutdown software uses APC UPS Network
Management Card to manage systems shutdown.
APC NMC cards have a web administration server.
However, this web server is not protected against Cross Site
Scripting nor Cross Site Request Forgery attacks.
An attacker can therefore invite the victim to see a malicious web
page, in order to execute administrative commands on APC NMC.
CHARACTERISTICS
– Identifiers: 10887, BID-37338, CVE-2009-1797, CVE-2009-1798,
CVE-2009-4406, VIGILANCE-VUL-9311
– Url: http://vigilance.fr/vulnerability/APC-NMC-vulnerabilities-of-the-web-interface-9311