HMS Netbiter WS100 versions 3.30.5 and below suffer from a cross site scripting vulnerability.
4c33dddf7eecb5e75d363ffe7b63d308
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Advisory ID: SYSS-2018-042
Product: Netbiter WS100
Manufacturer: HMS Industrial Networks AB
Affected Version(s): 3.30.5 <=
Tested Version(s): 3.30.5
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Low
Solution Status: Fixed
Manufacturer Notification: 2018-11-29
Solution Date: 2018-12-20
Public Disclosure: 2019-01-11
CVE Reference: CVE-2018-19694
Authors of Advisory: Micha Borrmann (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Netbiter WS100 is a remote management solution for industrial control
(e.g. emergency generators) (see [1]).
Due to improper input validation, the web-based remote management
solution is vulnerable to reflected cross-site scripting attacks.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
The login form reflects values from parameters without any kind of
filtering or escaping.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
The following attack vector exemplarily demonstrates the described
reflected cross-site scripting vulnerability:
http://$TARGET/cgi-bin/write.cgi?page=%22;document.write(%27%3Ch1%3EXSS%20Demonstration%3C/h1%3E%27)//
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
Install the provided security patch (see [2]).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2018-11-29: Detection of the vulnerability
2018-11-29: CVE number assigned
2018-12-03: Vulnerability reported to manufacturer
2018-12-20: Security patch was released from the vendor
2019-01-11: Public release of the security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product web site
https://www.netbiter.com/support/file-doc-downloads/netbiter-ws100
[2] HMS Security Advisory Report HMSSAR-2018-12-04-001
https://www.hms-networks.com/docs/librariesprovider6/cybersecurity/hms-security-advisory-2018-12-04-001-ec150-ec250-lc310-lc350-ws100-ws200-cve-2018-19694.pdf
[3] SySS Security Advisory SYSS-2018-042
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-042.txt
[4] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Micha Borrmann of SySS GmbH.
E-Mail: micha.borrmann (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory
may be updated in order to provide as accurate information as
possible. The latest version of this security advisory is available on
the SySS Web site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE8ufGpZlQhO161g3U7b4m5xTqWHYFAlw4ozcACgkQ7b4m5xTq
WHbO4g//eCR/3uDF5Kr8G5Iybj8SkDbZVtkvvgX6E4NWKUEYC43F2buLtDqeei7k
CiELScdzz7n0SDhmbZLG9NT5Luo9Uu62bDfVejm9c6zLug0VftvX280HyPK51oxf
c3lX7mo5ZClq+Uj0UW/Pr4yZHhTEipySpRAOa1IM2VQqSN2tGThD/IOycZa3FmaL
qk5h+H+hIZKBhFGuowFhNULouP076l6ib66K/v6yXTO6BkcHNiHToUAWkoRuQ0rB
LEikXeAZqmv7DfKRwLhGJWzga4YDOQN0BCoVDtEzgpgf3ogyvwNMKnq5WxylfLn/
T2q8w4jvCmoPtQPRtW1IHGloMngso9O1bXBKzLAbS4EP/RJYzI8iazKVr7x9gpv0
7bw9+lQ9McMLLAiGgkJgMcWOjtaZpB+T5XegVbTjk/4g3kP6XCY8ZA4cvqxQ/QM5
4X5m5bk48ZW/agIqB+a8LzQdtQhFhITZ62eLO13Qmq7vEdIhTx6I1LmIIcICelyQ
pY0aRtMcXePGZOSiO/gqO50L1giA4BjwUOtSekvpt0XP/D4thruUajEK+4hnvazP
eX9bzseBj5gkaYGEBkj3adKK/AK9GALCwhj4UMvSlUA7uhMRUDZxErCZwUrVt9xB
TM0wQddZ5TFCWy22WONVd2+I53WqU+FZbP/Ygv+S0o22nHM++4E=
=TBoG
-----END PGP SIGNATURE-----