Vulnerability Description: Multiple Cross Site Scripting Reflected/Stored- CWE-79
Software Version: 5.2.0-20211008
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39813
CVSv3: 6,1
Severity: Medium
Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli
Italtel NetMatch-S CI 5.2.0-20211008 allows Multiple Reflected/Stored XSS issues under NMSCIWebGui/j_security_check via the j_username parameter, or NMSCIWebGui/actloglineview.jsp via the name or actLine parameter. An attacker leveraging this vulnerability could inject arbitrary JavaScript. The payload would then be triggered every time an authenticated user browses the page containing it.
Step-by-step instructions and PoC.
The Web application does not properly check the parameters sent as input from clients before they are re-included within the HTTP pages returned by the application. In particular, the web gui is affected by both the stored and reflected type of this vulnerability. Due to the lack of validation of user input, it allows an attacker to modify the HTML code and the expected execution flow could be altered. The attack can be performed both pre and post authentication.
Affected Endpoints
· URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/j_security_chec
o HTTP POST Parameter: j_username
· URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actloglineview.jsp
o HTTP POST Parameter: name, actLine
Below are the evidences with the vulnerability details and the payloads used.
URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/j_security_chec
Payload used to exploit the vulnerability:
POST /[NODE-NAME]/NMSCI-WebGui/j_security_check HTTP/1.1
Host: [HOST]
Cookie: [REDACTED]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: https://[HOST]
Referer: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actlogview.jsp?name=test.csv;%3Cimg+src
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
j_username=<img+src=x+onerror=alert(document.cookie)+>&j_password=%27
The endpoint is affected by the Stored type of this vulnerability. The first step consists of replacing the value in the “j_username” POST parameter with the javascript code. This value is stored in the application logs and an alert is generated (Authentication failure), which can be displayed by authenticated users. Since this kind of alerts generate a notification on the home page, the javascript code is executed as soon as a user logs into the web GUI. This vulnerability is particularly critical, since the attacker does not need any kind of access to the web application in order to exploit it.
