WebCTRL OEM 6.5 – ‘locale’ Reflected Cross-Site Scripting (XSS)

• Exploit Database
• 17 阅读

• 作者： 3ndG4me
  日期： 2021-10-29
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/50463/

• # Exploit Title: WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS)
  # Date: 4/07/2021
  # Exploit Author: 3ndG4me
  # Vendor Homepage: https://www.automatedlogic.com/en/products/webctrl-building-automation-system/
  # Version: 6.5 and Below
  # CVE : CVE-2021-31682
  
  --Summary--
  
  The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized. 
  
  Automated Logic
  https://www.automatedlogic.com/en/products-services/webctrl-building-automation-system/
  
  --Affects--
  
  - WebCTRL OEM
  - Versions 6.5 and prior
  
  --Details--
  
  The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized. This issue impacts versions 6.5 and below. This issue works by passing in a basic XSS payload to a vulnerable GET parameter that is reflected in the output without sanitization. This can allow for several issues including but not limited to:
  
  - Hijacking a user's session
  - Using XSS payloads to capture input (keylogging)
  
  
  -- Proof of Concept --
  The following URL parameter was impacted and can be exploited with the sample payload provided below:
  - https://example.com/index.jsp?operatorlocale=en/><script>alert("xss")</script> 
  
  --Mitigation--
  
  Sanitize any user controlled input in both form fields and URL parameters to properly encode data so it is not rendered as arbitrary HTML/JavaScript.
  
  --Timeline--
  
  - 4/07/2021: XSS Vulnerability was discovered and documented. 
  - 4/17/2021: A temporary CVE identifier was requested by MITRE. Automated Logic was also notified with the full details of each finding via their product security contact at https://www.automatedlogic.com/en/about/security-commitment/. A baseline 90 day disclosure timeline was established in the initial communication.
  - 7/23/2021: MITRE Assigns CVE ID CVE-2021-31682 to the vulnerability.
  - 9/08/2021: Automated Logic formally responds requesting the CVE identifier and states that the issue should be patched in newer versions of the product.
  - 10/20/2021: The researcher responds with the CVE identifier and a request for all impacted version numbers so they can release a more accurate impacted list of products when full disclosure occurs. Automate Logic responds with a list of impacted versions the same day, and the researcher publicly discloses the issue and submits a CVE details update request to MTIRE.