Vulnerability Note VU#384427

GoAhead Webserver multiple stored XSS vulnerabilities

Original Release date: 10 Oct 2011 | Last revised: 10 Oct 2011

Overview

GoAhead Webserver 2.18 and possibly previous or newer versions, are vulnerable to multiple stored and reflective cross site scripting (XSS) vulnerabilities.

Description

GoAhead Webserver software fails to sanitize POST requests sent to the multiple functions. As a result, stored and reflective cross site scripting (XSS) attacks can be conducted. An attacker can inject javascript code that will be run each time the specified webpage is accessed by inserting javascript code in the affected parameter.

According to the reporter the following webpages and parameters are affected by stored and reflective XSS vulnerabilities:

  • Stored XSS in group parameter of addgroup.asp.
    POST /goform/AddGroup HTTP/1.1
    group=<script>alert(1337)</script>&privilege=4&method=1&enabled=on&ok=OK

    Results:   Reflected XSS displayed in addgroup.asp, stored XSS in: adduser.asp, addlimit.asp, delgroup.asp.
  • Stored XSS in url parameter of addlimit.asp
    POST /goform/AddAccessLimit HTTP/1.1
    url=<script>alert(1337)</script>&group=test&method=3&ok=OK

    Results: Stored when user requests dellimit.asp.
  • Stored XSS in adduser.asp, User ID parameter.
    Note: for this to work, there must be at least one valid group created in
    addgroup.asp. In this example, you can swap out the group=<script>alert(1337)
    for whichever group name you added.  password= and passconf= can also be
    modified to whichever password you want the new user to have.

    POST /goform/AddUser HTTP/1.1
    user=%3Cscript%3Ealert%281337%29%3C%2Fscript%3E&group=%3Cscript%3Ealert%281337%2
    9%3C%2Fscript%3E&enabled=on&password=test&passconf=test&ok=OK

    Result: Reflected in reply, stored in: deluser.asp,dspuser.asp.

Impact

An attacker with access to the GoAhead Webserver can conduct a cross site scripting attack, which could be used to result in information leakage, privilege escalation, and/or denial of service.

Solution

We are currently unaware of a practical solution to this problem.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing a GoAhead Webserver using stolen credentials from a blocked network location.

Vendor Information (Learn More)

The reporter was unable to confirm if any previous or newer versions are vulnerable to these stored cross site scripting (XSS) vulnerabilities.

VendorStatusDate NotifiedDate Updated
GoAhead Software, Inc.Affected-07 Oct 2011
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

  • None

Credit

Thanks to Silent Dream for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs: Unknown
  • Date Public: 10 Oct 2011
  • Date First Published: 10 Oct 2011
  • Date Last Updated: 10 Oct 2011
  • Severity Metric: 0.49
  • Document Revision: 20

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.