Advantech Webaccess HMI/SCADA Software – Persistence Cross-Site Scripting

• Exploit Database
• 13 阅读

• 作者： SecPod Research
  日期： 2013-01-08
• 类别：

  • webapps
  平台：

  • asp
• 来源：https://www.exploit-db.com/exploits/23968/

• ##############################################################################
  #
  # Title: Advantech WebAccess HMI/SCADA Software Persistence Cross-Site
  #Scripting Vulnerability
  # Author : Antu Sanadi SecPod Technologies (www.secpod.com)
  # Vendor : http://webaccess.advantech.com/
  # Advisory : http://secpod.org/blog/?p=569
  #	 http://secpod.org/advisories/SecPod_Advantech_WebAccess_Stored_XSS_Vuln.txt
  # Software : Advantech WebAccess HMI/SCADA Software 7.0-2012.12.05
  # Date : 08/01/2013
  #
  ###############################################################################
  
  SecPod ID: 1046 10/12/2012 Issue Discovered
  18/12/2012 Vendor Notified
  No Response from vendor
  08/01/2013 Advisory Released
  
  
  Class: Cross-Site Scripting Severity: High
  
  
  Overview:
  ---------
  Advantech WebAccess HMI/SCADA Software Persistence Cross-Site Scripting
  Vulnerability.
  
  
  Technical Description:
  ----------------------
  Advantech WebAccess HMI/SCADA Software Persistence Cross-Site Scripting
  Vulnerability.
  
  Input passed via the 'ProjDesc' parameter in 'broadWeb/include/gAddNew.asp'
  (when tableName=pProject set) page is not properly verified before it is
  returned to the user. This can be exploited to execute arbitrary HTML and
  script code in a user's browser session in the context of a vulnerable site.
  
  The vulnerabilities are tested in Advantech WebAccess 7.0-2012.12.05 Other
  versionsmay also be affected.
  
  
  Impact:
  --------
  Successful exploitation will allow a remote authenticated attacker to execute
  arbitrary HTML code in a user's browser session in the context of a vulnerable
  application.
  
  
  Affected Software:
  ------------------
  Advantech WebAccess HMI/SCADA Software 7.0-2012.12.05
  
  Tested on Advantech WebAccess HMI/SCADA Software 7.0-2012.12.05 on Windows XP SP3
  
  
  References:
  -----------
  http://secpod.org/blog/?p=569
  http://webaccess.advantech.com
  http://secpod.org/advisories/SecPod_Advantech_WebAccess_Stored_XSS_Vuln.txt
  
  
  Proof of Concept:
  -----------------
  
  1) Login into project management interface 
   http://IP-Address/broadWeb/bwconfig.asp?username=admin
  2) Go to http://IP-Address/broadweb/bwproj.asp
  3) Create New Project with Project Description as <script>alert("XSS")<script>
  4) Now Java script '<script>alert("XSS")<script>' will be executed, 
   when 'bwproj.asp' will be loaded
  
  
  Solution:
  ----------
  Fix not available
  
  
  Risk Factor:
  -------------
  CVSS Score Report:
  ACCESS_VECTOR= NETWORK
  ACCESS_COMPLEXITY= MEDIUM
  AUTHENTICATION = SINGLE INSTANCE
  CONFIDENTIALITY_IMPACT = NONE
  INTEGRITY_IMPACT = COMPLETE
  AVAILABILITY_IMPACT= NONE
  EXPLOITABILITY = PROOF_OF_CONCEPT
  REMEDIATION_LEVEL= UNAVAILABLE
  REPORT_CONFIDENCE= CONFIRMED
  CVSS Base Score= 6.3 (High) (AV:N/AC:M/Au:SI/C:N/I:C/A:N)
  
  
  Credits:
  --------
  Antu Sanadi of SecPod Technologies has been credited with the discovery of this
  vulnerability.