Viprinet VPN Hub Router Cross Site Scripting Vulnerability

ID 1337DAY-ID-31369
Type zdt
Reporter Denis Kolegov
Modified 2018-10-22T00:00:00


Exploit for php platform in category web applications

                                            New Hope Team identified a stored XSS in Viprinet VPN Hub Router.

Input validation and output escaping mechanisms are missing for CLI
interface. Stored XSS is possible. By exploiting that vulnerability an
attacker can obtain sensitive information (e.g., private key) or modify a
remote routeras SSL certificate fingerprint employed in VPN tunneling.

Vulnerability Description:
There are two management interfaces in the Viprinet system. One of them is
a CLI which is available via And the second one is a Web
There is an access control mechanism which allows to add an user and give
him a privilege to write or read to some sections of the app (sections

Steps to Reproduce:
1. Add an user and give him write access to QOSTEMPLATES and TRAFFICRULES.
2. The user should have access to the CLI and Web Interface.
3. Add a new ITEM in the TRAFFICRULES section.
4. Using CLI, the added user with minimal privileges could set Name for
created ITEM to  <svg/onload=alert(ViprinetSessionId)>
5. If the root user logs in, an alert window with sessionID will be shown.

It should be noted, that passing a session ID in URL as a mitigation
technique (actively used by Viprinet) does not work here.

The same report was sent to Viprinet in September 2018.

# [2018-10-22]  #