General Electric Intelligent Platforms (GE-IP) Proficy Historian Web Administrator Cross-Site Scripting (XSS) Vulnerability
November 1, 2011
Security researchers Billy Rios and Terry McCorkle have discovered a vulnerability within the
General Electric Intelligent Platforms (GE-IP) Proficy
Historian used with the Cimplicity and iFix software suites.
The vulnerability been reported in Proficy Historian can be
exploited by malicious people to conduct cross-site
scripting attacks and compromise a vulnerable system.
Certain unspecified input is not properly sanitised within
the Web Administrator component before being returned to the
user. This can be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an
affected site.
Successful exploitation of this vulnerability may allow
execution of arbitrary code.
All versions of Proficy Historian, Proficy
HMI/SCADA-CIMPLICITY 8.1 and 8.2, and Proficy HMI/SCADA-iFIX
5.0 and 5.1 are vulnerable.
SCADAhacker
comment:
Billy Rios and Terry McCorkle presented at DerbyCon 2011 a
session entitled "100 Bugs in 100 Days: An Analysis of ICS
(SCADA) Software". You can view the presentation by
clicking here.