ServersCheck Monitoring Software Cross Site Scripting Vulnerability

# Exploit Title: ServersCheck Monitoring Software before 14.2.3 Cross-site  scripting vulnerability
# CVE: CVE-2017-17832
# Date: 21-12-2017
# Exploit Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr <https://twitter.com/aloycemjr>
# Vendor Homepage: http://serverscheck.com
# Category: webapps
# Attack Type: Remote
# Impact: Data/Cookie theft

***Disclosure Timeline***

20-12-2017 - Vulnerability discovered
20-12-2017 - Vulnerability reported to the vendor
21-12-2017 - Vendor responded indicating that a patch will be available within 24 hours
21-12-2017 - Patch released (See https://serverscheck.com/monitoring-software/release.asp <https://serverscheck.com/monitoring-software/release.asp> )


1. Description


ServersCheck Monitoring Software before 14.2.3 is prone to a cross-site  scripting vulnerability as user supplied-data is not validated/sanitized when passed in the settings_SMS_ALERT_TYPE parameter, and JavaScript can be executed on settings-save.html (the Settings - SMS Alerts page). If exploited, an authenticated attacker could steal victims' cookie, session tokens or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.


2. Proof of Concept

See: https://serverscheck.com/monitoring-software/release.asp <https://serverscheck.com/monitoring-software/release.asp>


3. Solution:

Update to version 14.2.3
http://downloads.serverscheck.com/monitoring_software/setup.exe

#  0day.today [2018-04-12]  #