ServersCheck Monitoring Software versions prior to 14.2.3 suffers from a cross site scripting vulnerability.
5d726e783e063a527c15ce6c9c68493a# Exploit Title: ServersCheck Monitoring Software before 14.2.3 Cross-site scripting vulnerability
# CVE: CVE-2017-17832
# Date: 21-12-2017
# Exploit Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr <https://twitter.com/aloycemjr>
# Vendor Homepage: http://serverscheck.com
# Category: webapps
# Attack Type: Remote
# Impact: Data/Cookie theft
***Disclosure Timeline***
20-12-2017 - Vulnerability discovered
20-12-2017 - Vulnerability reported to the vendor
21-12-2017 - Vendor responded indicating that a patch will be available within 24 hours
21-12-2017 - Patch released (See https://serverscheck.com/monitoring-software/release.asp <https://serverscheck.com/monitoring-software/release.asp> )
1. Description
ServersCheck Monitoring Software before 14.2.3 is prone to a cross-site scripting vulnerability as user supplied-data is not validated/sanitized when passed in the settings_SMS_ALERT_TYPE parameter, and JavaScript can be executed on settings-save.html (the Settings - SMS Alerts page). If exploited, an authenticated attacker could steal victims' cookie, session tokens or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
2. Proof of Concept
See: https://serverscheck.com/monitoring-software/release.asp <https://serverscheck.com/monitoring-software/release.asp>
3. Solution:
Update to version 14.2.3
http://downloads.serverscheck.com/monitoring_software/setup.exe