############################################################################## # # Title : Advantech WebAccess HMI/SCADA Software Persistence Cross-Site # Scripting Vulnerability # Author : Antu Sanadi SecPod Technologies (www.secpod.com) # Vendor : http://webaccess.advantech.com/ # Advisory : http://secpod.org/blog/?p=569 # http://secpod.org/advisories/SecPod_Advantech_WebAccess_Stored_XSS_Vuln.txt # Software : Advantech WebAccess HMI/SCADA Software 7.0-2012.12.05 # Date : 08/01/2013 # ############################################################################### SecPod ID: 1046 10/12/2012 Issue Discovered 18/12/2012 Vendor Notified No Response from vendor 08/01/2013 Advisory Released Class: Cross-Site Scripting Severity: High Overview: --------- Advantech WebAccess HMI/SCADA Software Persistence Cross-Site Scripting Vulnerability. Technical Description: ---------------------- Advantech WebAccess HMI/SCADA Software Persistence Cross-Site Scripting Vulnerability. Input passed via the 'ProjDesc' parameter in 'broadWeb/include/gAddNew.asp' (when tableName=pProject set) page is not properly verified before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. The vulnerabilities are tested in Advantech WebAccess 7.0-2012.12.05 Other versions may also be affected. Impact: -------- Successful exploitation will allow a remote authenticated attacker to execute arbitrary HTML code in a user's browser session in the context of a vulnerable application. Affected Software: ------------------ Advantech WebAccess HMI/SCADA Software 7.0-2012.12.05 Tested on Advantech WebAccess HMI/SCADA Software 7.0-2012.12.05 on Windows XP SP3 References: -----------Брой прочитания на тази страница: 966PBBoard v2.1.4 CMS – Multiple Vulnerabilitieshttp://webaccess.advantech.com http://secpod.org/advisories/SecPod_Advantech_WebAccess_Stored_XSS_Vuln.txt Proof of Concept: ----------------- 1) Login into project management interface http://IP-Address/broadWeb/bwconfig.asp?username=admin 2) Go to http://IP-Address/broadweb/bwproj.asp 3) Create New Project with Project Description as <script>alert("XSS")<script> 4) Now Java script '<script>alert("XSS")<script>' will be executed, when 'bwproj.asp' will be loaded Solution: ---------- Fix not available Risk Factor: ------------- CVSS Score Report: ACCESS_VECTOR = NETWORK ACCESS_COMPLEXITY = MEDIUM AUTHENTICATION = SINGLE INSTANCE CONFIDENTIALITY_IMPACT = NONE INTEGRITY_IMPACT = COMPLETE AVAILABILITY_IMPACT = NONE EXPLOITABILITY = PROOF_OF_CONCEPT REMEDIATION_LEVEL = UNAVAILABLE REPORT_CONFIDENCE = CONFIRMED CVSS Base Score = 6.3 (High) (AV:N/AC:M/Au:SI/C:N/I:C/A:N) Credits: -------- Antu Sanadi of SecPod Technologies has been credited with the discovery of this vulnerability.
Advantech WebAccess HMI/SCADA Software Persistence XSS Vulnerability