Title: InfraPower PPS-02-S Q213V1 Multiple XSS Vulnerabilities
Advisory ID: ZSL-2016-5369
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 28.10.2016

Summary

InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is a highly efficient cient application for saving not only the IP remote accessories cost, but also the true IP addresses required on the PDU management.

Description

InfraPower suffers from multiple stored and reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Vendor

Austin Hughes Electronics Ltd. - http://www.austin-hughes.com

Affected Version

Q213V1 (Firmware: V2395S)

Tested On

Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10

Vendor Status

[27.09.2016] Vulnerability discovered.
[03.10.2016] Vendor contacted.
[04.10.2016] Vendor responds asking more details.
[04.10.2016] Sent details to the vendor.
[06.10.2016] Vendor has released a new firmware version that addresses these issues.
[28.10.2016] Public security advisory released.

PoC

infrapower_xss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://www.exploit-db.com/exploits/40641/
[2] https://packetstormsecurity.com/files/139418
[3] https://cxsecurity.com/issue/WLB-2016100260
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/118414

Changelog

[28.10.2016] - Initial release
[31.10.2016] - Added reference [1], [2] and [3]
[02.11.2016] - Added reference [4]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk