lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <ac4f27bf-aa02-69fe-3eeb-f62d843993ce@syss.de>
Date: Fri, 11 Jan 2019 15:07:54 +0100
From: Micha Borrmann <micha.borrmann@...s.de>
To: <bugtraq@...urityfocus.com>
Subject: [SYSS-2018-042] XSS in HMS Netbiter WS100 - CVE-2018-19694

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory ID:               SYSS-2018-042
Product:                   Netbiter WS100
Manufacturer:              HMS Industrial Networks AB
Affected Version(s):       3.30.5 <= 
Tested Version(s):         3.30.5 
Vulnerability Type:        Cross-Site Scripting (CWE-79)
Risk Level:                Low
Solution Status:           Fixed
Manufacturer Notification: 2018-11-29
Solution Date:             2018-12-20
Public Disclosure:         2019-01-11
CVE Reference:             CVE-2018-19694
Authors of Advisory:       Micha Borrmann (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Netbiter WS100 is a remote management solution for industrial control
(e.g. emergency generators) (see [1]).

Due to improper input validation, the web-based remote management
solution is vulnerable to reflected cross-site scripting attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The login form reflects values from parameters without any kind of
filtering or escaping.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following attack vector exemplarily demonstrates the described
reflected cross-site scripting vulnerability:

http://$TARGET/cgi-bin/write.cgi?page=%22;document.write(%27%3Ch1%3EXSS%20Demonstration%3C/h1%3E%27)//

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install the provided security patch (see [2]).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-11-29: Detection of the vulnerability
2018-11-29: CVE number assigned
2018-12-03: Vulnerability reported to manufacturer
2018-12-20: Security patch was released from the vendor
2019-01-11: Public release of the security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:
[1] Product web site
    https://www.netbiter.com/support/file-doc-downloads/netbiter-ws100
[2] HMS Security Advisory Report HMSSAR-2018-12-04-001
    https://www.hms-networks.com/docs/librariesprovider6/cybersecurity/hms-security-advisory-2018-12-04-001-ec150-ec250-lc310-lc350-ws100-ws200-cve-2018-19694.pdf
[3] SySS Security Advisory SYSS-2018-042
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-042.txt
[4] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Micha Borrmann of SySS GmbH.

E-Mail: micha.borrmann (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6  0DD4 EDBE 26E7 14EA 5876

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory
may be updated in order to provide as accurate information as
possible. The latest version of this security advisory is available on
the SySS Web site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE8ufGpZlQhO161g3U7b4m5xTqWHYFAlw4ozcACgkQ7b4m5xTq
WHbO4g//eCR/3uDF5Kr8G5Iybj8SkDbZVtkvvgX6E4NWKUEYC43F2buLtDqeei7k
CiELScdzz7n0SDhmbZLG9NT5Luo9Uu62bDfVejm9c6zLug0VftvX280HyPK51oxf
c3lX7mo5ZClq+Uj0UW/Pr4yZHhTEipySpRAOa1IM2VQqSN2tGThD/IOycZa3FmaL
qk5h+H+hIZKBhFGuowFhNULouP076l6ib66K/v6yXTO6BkcHNiHToUAWkoRuQ0rB
LEikXeAZqmv7DfKRwLhGJWzga4YDOQN0BCoVDtEzgpgf3ogyvwNMKnq5WxylfLn/
T2q8w4jvCmoPtQPRtW1IHGloMngso9O1bXBKzLAbS4EP/RJYzI8iazKVr7x9gpv0
7bw9+lQ9McMLLAiGgkJgMcWOjtaZpB+T5XegVbTjk/4g3kP6XCY8ZA4cvqxQ/QM5
4X5m5bk48ZW/agIqB+a8LzQdtQhFhITZ62eLO13Qmq7vEdIhTx6I1LmIIcICelyQ
pY0aRtMcXePGZOSiO/gqO50L1giA4BjwUOtSekvpt0XP/D4thruUajEK+4hnvazP
eX9bzseBj5gkaYGEBkj3adKK/AK9GALCwhj4UMvSlUA7uhMRUDZxErCZwUrVt9xB
TM0wQddZ5TFCWy22WONVd2+I53WqU+FZbP/Ygv+S0o22nHM++4E=
=TBoG
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ