Insert JS into logs via username field

Brought to you by: adamfranco

#1 Insert JS into logs via username field

Milestone: 2.0

Status: closed-fixed

Owner: Adam Franco

Labels: Cross Site Scripting/JS (6)

Priority: 9

Updated: 2008-08-06

Created: 2008-08-06

Creator: Adam Franco

Private: No

To exploit persistent Cross Site Scripting, Rapid7 entered the following information within the login
page:

Username: <script>alert(‘xss’)</script>
Password: passwd

Next, we logged into Segue2 as an administrator and open the “Browse Logs” page for Harmoni. Below
is a screenshot of the page:

This attack can be used in gaining administrator privileges on the Segue2 system. An attacker only needs
to perform a GET request with the administrator’s session information with the request and then review
the web server logs to extract the information.

Found during Rapid7 security audit.

Discussion

Adam Franco - 2008-08-06

Logged In: YES
user_id=789554
Originator: YES

Fixed in Harmoni 1.4.7/Segue 2.0-Beta 30.

Logs are no longer a vector for XSS injection/persistence.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Adam Franco - 2008-08-06

status: open --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Insert JS into logs via username field

Group

Searches

Help

#1 Insert JS into logs via username field

Discussion