HP Client Security Manager 8.3.4 Cross-Site Scripting Vulnerability


Vendor: HP Inc.
Product web page: http://www.hp.com
Affected version: 8.3.4.1811

Summary: HP Client Security Manager provides enhanced Windows login and website single-sign-on capabilities. Security Manager is also the host for HP Client Security plugins and should be installed before other Client Security modules. This package is provided for supported notebook models running a supported operating system.

Desc: HP Client Security Manager is prone to XSS attacks because of lacking sanitization of data from HTML forms. It makes any site vulnerable even without XSS presence on the site.

Tested on: Microsoft Windows 7 Professional SP1 (EN)
           Microsoft Windows 7 Ultimate SP1 (EN)


Vulnerability discovered by Ewerson Guimaraes (Crash)


Advisory ID: ZSL-2016-5299
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5299.php


09.10.2015


Reproduction:

When you make a login process in any site that the HP Client Security Manager intercepts and render the username mixed with the site.

To trigger this vuln, just use some payload like <img src="lala.gif"onerror="alert(document.cookie)"> in the username HTML form.
For this reason any site can be exploited even without XSS presence directly in the site.