06 April, 2011

Anfibia Reactor 2.1.1 (login.do) Remote XSS POST Injection Vulnerability

Vendor: Anfibia Software
Product web page: http://www.anfibia-soft.com
Affected version: 2.1.1.12

Summary: Fast web-based server monitoring. Keep an eye on servers,
connections, databases, cpu, hard drives and more!

Desc: The Anfibia Reactor JS service suffers from a XSS vulnerability
when parsing user input to the 'email' parameter via POST method in
'reactor/login.do' script at the manager login interface. Attackers
can exploit this weakness to execute arbitrary HTML and script code
in a user's browser session.

Tested on: Microsoft Windows XP Professional SP3 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk


[14.03.2011] Vulnerability discovered.
[16.03.2011] Contact with the vendor.
[16.03.2011] Vendor replies asking more details.
[16.03.2011] Sent vulnerability details to vendor.
[16.03.2011] Vendor confirms XSS issue.
[06.04.2011] Vendor releases version 3 to address this issue.
[06.04.2011] Coordinated public advisory released.





http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5008.php

http://www.zeroscience.mk/codes/anfibiareactor_xss.txt

No comments: