Detectify got 2 XSS on Virtualmin/Webmin

4 posts / 0 new
Last post
#1 Wed, 01/23/2013 - 06:46
neocydfr

Detectify got 2 XSS on Virtualmin/Webmin

Hi,

I've recently used Detectify app on my website.

All was ok on my website but not on all my server. The only exploits found was... on Virtualmin

2x XSS Can be used in order to grab cookies, cause run-by attacks, phishing, browser based exploitation or tabnabbing.

URL : https://domain.tld:20000/session_login.cgi URL : https://domain.tld:10000/session_login.cgi

COOKIES: PHPSESSID=0ijbf57f8en02mn98euc580q16; testing=1 POST: page=%2F&user=%22%2F%3E%3Cdetectify%3EknVqAc1DF8&pass=&save=1

<tr class='ui_form_pair'> <td class='ui_form_label' ><b>Username</b></td> <td class='ui_form_value' colspan=1 ><input class='ui_textbox' name="user" value="&quot;/><detectify>knVqAc1DF8" size=20 ></td> </tr> <tr class='ui_form_pair'> <td class='ui_form_label' ><b>Password</b>

And 2x Input AutoComplete The input appears to be used for confidential data, however autocomplete is still activated. In case of a Cross-Site Scriping (XSS) incident; such data may be siphoned by the attacker if you've previously entered it into the input.

URL : https://domain.tld:20000/session_login.cgi URL : https://domain.tld:10000/session_login.cgi

COOKIES: PHPSESSID=0ijbf57f8en02mn98euc580q16; testing=1 POST: page=%252F&user=&pass=&save=1

<form class="ui_form" action="/session_login.cgi" method="post"> <input class='ui_hidden' type=hidden name="page" value="/"> <table class='shrinkwrapper' width=40% class='loginform'> <tr><td> <table class='ui_table' width=40% class='loginform'> <thead><tr><td></b></td></tr></thead> <tbody> <tr class='ui_table_body'> <td colspan=1><table width=100%> <tr class='ui_form_pair'> <td class='ui_form_value' colspan=2 align=center>You must enter a username and password to login to the Usermin server on <tt>monsterwin.fr</tt>.</td> </tr> <tr class='ui_form_pair'> <td class='ui_form_label' ></b></td> <td class='ui_form_value' colspan=1 ><input class='ui_textbox' name="user" value="" size=20 ></td> </tr> <tr class='ui_form_pair'> <td class='ui_form_label' ></b></td> <td class='ui_form_value' colspan=1 ><input class='ui_password' type=password name="pass" value="" size=20 ></td> </tr> <tr class='ui_form_pair'> <td class='ui_form_label' ></b></td> <td class='ui_form_value' colspan=1 ><input class='ui_checkbox' type=ch...

You can test on detectify.com

Thanks.

Wed, 01/23/2013 - 11:45
JamieCameron

Which webmin version are you running there? When I tried this, all that happened was that appeared in the username field, which doesn't seem like an exploit to me ..

''

Wed, 01/23/2013 - 22:08
neocydfr

Webmin version 1.610 Virtualmin version 3.97.gpl GPL

;)

Wed, 01/23/2013 - 23:13
JamieCameron

Do you have an example wget or similar command that can demonstrate this attack? I think that detectify.com is giving false positives.

For example, in the HTML :

<tr class='ui_form_pair'> <td class='ui_form_label' ><b>Username</b></td> <td class='ui_form_value' colspan=1 ><input class='ui_textbox' name="user" value="&quot;/><detectify>knVqAc1DF8" size=20 ></td> </tr> <tr class='ui_form_pair'> <td class='ui_form_label' ><b>Password</b>

the <detectify> tag is inside quotes.

''

Topic locked