Allworx Server Manager Multiple Cross-Site Scripting Vulnerabilities

2017-11-15T00:00:00
ID ZSL-2017-5440
Type zeroscience
Reporter Gjoko Krstic
Modified 2017-11-15T00:00:00

Description

Title: Allworx Server Manager Multiple Cross-Site Scripting Vulnerabilities
Advisory ID: ZSL-2017-5440
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 15.11.2017

Summary

The Allworx phone system enables users to manage voicemails in the Allworx Message Center and customize the personal phone system configurations using My Allworx Manager.

Description

Allworx server manager interface suffers from multiple reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Vendor

Allworx Corporation - <https://www.allworx.com>

Affected Version

6x, 6x12 and 48x

Tested On

Microsoft Windows 10
Server IST OIS

Vendor Status

[31.10.2017] Vulnerability discovered.
[01.11.2017] Vendor contacted.
[14.11.2017] No response from the vendor.
[15.11.2017] Public security advisory released.

PoC

allworx_xss.html

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://packetstormsecurity.com/files/144993>
[2] <https://cxsecurity.com/issue/WLB-2017110084>
[3] <https://exchange.xforce.ibmcloud.com/vulnerabilities/134979>

Changelog

[15.11.2017] - Initial release
[24.11.2017] - Added reference [3]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;