Xplico v0.5.7 (add.ctp) Remote XSS Vulnerability Title: Xplico v0.5.7 (add.ctp) Remote XSS Vulnerability Type: Remote Impact: Cross-Site Scripting Release Date: 02.07.2010 Release mode: Coordinated release Summary ======= The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT). Description =========== Xplico is vulnerable to Cross-Site Scripting vulnerability. An attacker can use the "POST" to take advantage of this vulnerability, injecting code into the web pages viewed by other users. -------------------------------------------------------------------------------- Detecting vulnerabilities - /opt/xplico/xi/app/views/pols/add.ctp:13 - /opt/xplico/xi/app/views/pols/add.ctp:14 - /opt/xplico/xi/app/views/sols/add.ctp:10 -------------------------------------------------------------------------------- Vendor ====== Xplico Team - http://www.xplico.org Affected Version ================ 0.5.7 PoC === - /opt/xplico/xi/app/views/pols/add.ctp:13 echo $form->input('Pol.name', array('maxlength'=> 50, 'size' => '50','label' => 'Case name')); Attack: Case name=[XSS] (POST) Credits ======= Vulnerability discovered by Marcos Garcia (@artsweb) and Maximiliano Soler (@maxisoler). Solution ======== Upgrade to Xplico v0.5.8 (http://sourceforge.net/projects/xplico/files/) Vendor Status ============= [22.06.2010] Vulnerability discovered. [22.06.2010] Vendor informed. [22.06.2010] Vendor replied. [24.06.2010] Asked vendor for confirmation. [24.06.2010] Vendor confirms vulnerability. [24.06.2010] Asked vendor for status. [24.06.2010] Vendor replied. [29.06.2010] Vendor reveals patch release date. [29.06.2010] Coordinated public advisory. References ========== [1] http://www.xplico.org/archives/710 Changelog ========= [02.07.2010] - Initial release Web: http://www.zeroscience.mk e-mail: lab@zeroscience.mk