0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

InterWorx Web Control Panel Cross Site Scripting Vulnerability

Author

Eric Flokstra

Risk

[

Security Risk Medium

]

0day-ID

Category

Date add

CVE

Platform

==============================================
Product: InterWorx Web Control Panel
Vendor: InterWorx LLC
Tested Version: 5.0.12 build 569
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-2035
Risk Level: Medium
CVSSv2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
Solution Status: Fixed in Version 5.0.13 build 574
Discovered and Provided: Eric Flokstra (www.itsec.nl)
==============================================

About the Vendor
-------------------------
The InterWorx Hosting Control Panel is a web hosting and linux server
management system that provides tools for server administrators to
command their servers and for end users to oversee the operations of
their website.

Advisory Details:
-------------------------
Reflected cross-site scripting (XSS) vulnerability in the InterWorx
Web Control Panel.

The application uses XMLHttpRequests to post messages to the web
server. However, insufficient output encoding is performed enabling
remote execution of arbitrary scripting code in the target's web
browser. By changing the request method from POST to GET the following
URL could be used as proof of concept:

http://demo.interworx.com:2080/xhr.php?i={%22r%22%3a%22Form_InputValidator%22%2c%22i%22%3a{%22form%22%3a%22Form_NW_Shell_ForbiddenUsers%22%2c%22ctrl%22%3a%22\%2fnodeworx\%2fshell%3Cimg%20src%3dx%20onerror%3dalert%28%27XSS%27%29%3E%22%2c%22input%22%3a%22forbidden_unix_users%22%2c%22value%22%3a%22moi%22%2c%22where_was_i%22%3a%22%2fnodeworx%2fshell%22}}

Vendor contact timeline:
------------------------------------
18 Feb 2014: Vendor notification
18 Feb 2014: Vulnerability confirmation
19 Feb 2014: Issue patched
20 Feb 2014: Public disclosure

Solution:
------------
Upgrade to the latest version (5.0.13 build 574) of InterWorx Web Control Panel.

#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

InterWorx Web Control Panel Cross Site Scripting Vulnerability

Report Error

Report Error