Xplico 0.5.7 Cross Site Scripting

2010-07-03T00:00:00
ID PACKETSTORM:91428
Type packetstorm
Reporter Maximiliano Soler
Modified 2010-07-03T00:00:00

Description

                                        
                                            `Xplico v0.5.7 (add.ctp) Remote XSS Vulnerability  
  
Title: Xplico v0.5.7 (add.ctp) Remote XSS Vulnerability  
Type: Remote  
Impact: Cross-Site Scripting  
Release Date: 02.07.2010  
Release mode: Coordinated release  
  
Summary  
=======  
  
The goal of Xplico is extract from an internet traffic capture the applications  
data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP,  
and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.  
Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic  
Analysis Tool (NFAT).  
  
Description  
===========  
  
Xplico is vulnerable to Cross-Site Scripting vulnerability. An attacker can use the  
"POST" to take advantage of this vulnerability, injecting code into the web pages  
viewed by other users.  
  
--------------------------------------------------------------------------------  
  
Detecting vulnerabilities  
- /opt/xplico/xi/app/views/pols/add.ctp:13  
- /opt/xplico/xi/app/views/pols/add.ctp:14  
- /opt/xplico/xi/app/views/sols/add.ctp:10  
  
--------------------------------------------------------------------------------  
  
  
Vendor  
======  
  
Xplico Team - http://www.xplico.org  
  
  
Affected Version  
================  
  
0.5.7  
  
PoC  
===  
  
- /opt/xplico/xi/app/views/pols/add.ctp:13  
echo $form->input('Pol.name', array('maxlength'=> 50, 'size' => '50','label' => 'Case name'));  
  
  
Attack: Case name=[XSS] (POST)  
  
  
Credits  
=======  
  
Vulnerability discovered by Marcos Garcia (@artsweb) and Maximiliano Soler (@maxisoler).  
  
  
Solution  
========  
  
Upgrade to Xplico v0.5.8 (http://sourceforge.net/projects/xplico/files/)  
  
  
Vendor Status  
=============  
[22.06.2010] Vulnerability discovered.  
[22.06.2010] Vendor informed.  
[22.06.2010] Vendor replied.  
[24.06.2010] Asked vendor for confirmation.  
[24.06.2010] Vendor confirms vulnerability.  
[24.06.2010] Asked vendor for status.  
[24.06.2010] Vendor replied.  
[29.06.2010] Vendor reveals patch release date.  
[29.06.2010] Coordinated public advisory.  
  
  
References  
==========  
  
[1] http://www.xplico.org/archives/710  
  
  
Changelog  
=========  
  
[02.07.2010] - Initial release  
  
  
Web: http://www.zeroscience.mk  
e-mail: lab@zeroscience.mk  
  
`