← Advisories

Xplico 0.5.7 (add.ctp) Remote XSS Vulnerability

Medium
Advisory ID
ZSL-2010-4944
Release Date
02 July 2010
Vendor
Xplico Team - http://www.xplico.org
Affected Version
0.5.7
CVE
N/A
Tested On
GNU/Linux Debian, Apache
Summary

The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT).

Description

Xplico is vulnerable to Cross-Site Scripting vulnerability. An attacker can use the "POST" to take advantage of this vulnerability, injecting code into the web pages viewed by other users.

Detecting vulnerabilities - /opt/xplico/xi/app/views/pols/add.ctp:13 - /opt/xplico/xi/app/views/pols/add.ctp:14 - /opt/xplico/xi/app/views/sols/add.ctp:10
Proof of Concept
xplico_xss.txtTXT
Disclosure Timeline
22.06.2010Vulnerability discovered.
22.06.2010Vendor informed.
22.06.2010Vendor replied.
24.06.2010Asked vendor for confirmation.
24.06.2010Vendor confirms vulnerability.
24.06.2010Asked vendor for status.
24.06.2010Vendor replied.
29.06.2010Vendor reveals patch release date.
29.06.2010Coordinated public advisory.
Credits
Vulnerability discovered by Maximiliano Soler and Marcos Garcia
References
[1]http://www.xplico.org/archives/710
[2]http://www.exploit-db.com/exploits/14177/
[3]http://www.securityfocus.com/bid/41322
[4]http://packetstormsecurity.org/filedesc/xplico-xss.txt.html
[5]http://securityreason.com/wlb_show/WLB-2010070022
[6]http://xforce.iss.net/xforce/xfdb/60058
Changelog
02.07.2010Initial release
04.07.2010Added reference [4] and [5]
10.07.2010Added reference [6]