CVE-2010-2260 in Bandwidth Meterinfo

Summary

by MITRE

Multiple cross-site scripting (XSS) vulnerabilities in Gambit Design Bandwidth Meter, 0.72 and possibly 1.2, allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) view_by_name.php or (2) view_by_ip.php in admin/. NOTE: some sources report that the affected product is ShaPlus Bandwidth Meter, but this is incorrect.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 12/29/2017

The vulnerability identified as CVE-2010-2260 represents a critical cross-site scripting weakness in the Gambit Design Bandwidth Meter software version 0.72 and potentially 1.2. This flaw resides in the administrative interface of the bandwidth monitoring tool, specifically affecting two PHP scripts within the admin directory. The vulnerability stems from inadequate input validation and sanitization mechanisms that fail to properly process user-supplied data passed through the PATH_INFO server variable. Attackers can exploit this weakness by crafting malicious payloads that get executed within the context of other users' browsers when they access the affected administrative pages.

The technical implementation of this vulnerability involves the improper handling of the PATH_INFO parameter which is typically used to pass additional path information to PHP scripts. When the bandwidth meter application processes requests to view_by_name.php or view_by_ip.php, it directly incorporates user-provided data from the PATH_INFO variable into the HTML output without appropriate sanitization or encoding. This creates a classic XSS attack vector where malicious scripts can be injected and executed in the browser context of authenticated administrators or other users who access the affected pages.

The operational impact of this vulnerability is significant as it allows remote attackers to execute arbitrary web scripts and HTML code within the browser sessions of users accessing the administrative interface. An attacker could potentially steal session cookies, perform unauthorized administrative actions, redirect users to malicious websites, or inject phishing content that could compromise user credentials. Given that this affects the administrative interface, successful exploitation could lead to complete system compromise, especially if the affected users have elevated privileges. The vulnerability affects the bandwidth meter's ability to properly validate and sanitize input from the PATH_INFO parameter, creating persistent XSS conditions that could be exploited across multiple sessions.

This vulnerability maps directly to CWE-79, which specifically addresses Cross-Site Scripting flaws in software applications. The weakness demonstrates poor input validation practices and inadequate output encoding mechanisms that fail to distinguish between legitimate application data and potentially malicious user-supplied content. From an ATT&CK framework perspective, this vulnerability represents a technique for initial access and privilege escalation through web application exploitation, potentially enabling adversaries to establish persistent access to network monitoring systems. The attack surface is particularly concerning in enterprise environments where bandwidth monitoring tools often contain sensitive network data and administrative controls that could be leveraged for broader network infiltration. Organizations should implement proper input validation, output encoding, and regular security assessments to prevent exploitation of such vulnerabilities in their network monitoring infrastructure.

The affected product, ShaPlus Bandwidth Meter, is incorrectly identified in some sources as the vulnerable component, when the actual affected software is Gambit Design Bandwidth Meter. This misidentification highlights the importance of proper vulnerability classification and the need for thorough verification of affected products and versions. Security practitioners should always validate the specific software versions and implementations affected by reported vulnerabilities to ensure proper mitigation strategies are applied. The vulnerability demonstrates how insufficient security controls in web applications can create persistent risks that may remain undetected for extended periods, emphasizing the necessity of regular security audits and input validation testing.

Reservation

06/09/2010

Disclosure

06/09/2010

Moderation

accepted

Entry

VDB-53523

CPE

ready

Exploit

Download

EPSS

0.01075

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!