#Title: Cookie Based Persistent XSS #Vendor: MAXUM Development (https://maxum.com) #Affected Product: Rumpus FTP Web File Manager #Tested On: Rumpus FTP Version 8.2.9.1 for Windows
#Description: A cookie based persistent XSS was identified in the Web File Manager of Rumpus FTP Server 8.2.9.1, which was being executed in the Login page when a base64 encoded XSS payload was supplied in the "snp" cookie value.
It was observed that the vulnerable application was storing the username in base64 encoding in a cookie named as "snp" and the username was reflecting in the username field of the "/Login" page of the application.
When any logged in user logs out from the session or any un-authenticated user visits "/Login" page, the username field displays the last logged in user's name. And here the XSS takes place, as we know the username which is reflecting in the username field is coming from the "snp" cookie value and the "snp" cookie is being stored inside the browser storage, which makes this vulnerability persistent for a targetted victim.
Payload: Cookie: snp=Ij48c2NyaXB0PmFsZXJ0KDApPC9zY3JpcHQ+
Exploitation: As most of the cookie based XSS are't remotely exploitable but here in this case we can exploit it with 2 different methods-
- Exploiting with Reflected XSS(CVE-2019-19368) - I already have a pre-authenticated reflected XSS that will help to set the "snp" cookie value by the following payload.
Payload: ?!'"><script>document.cookie = "snp=Ij48c3ZnL29ubG9hZD1hbGVydCgwKT41=%3B"</script>
- Exploiting with CSRF(CVE-2019-19664) - This application has a feature of adding a HTTP header. So we can add the following header like this, Payload: Set-Cookie: snp=Ij48c3ZnL29ubG9hZD1hbGVydCgwKT41=
Impact: An attacker can inject malicious javascripts that can have various impacts such as keylogging, unvalidated redirects etc.