← Advisories

Anfibia Reactor 2.1.1 (login.do) Remote XSS POST Injection Vulnerability

Low
Advisory ID
ZSL-2011-5008
Release Date
06 April 2011
Vendor
Anfibia Software - http://www.anfibia-soft.com
Affected Version
2.1.1.12
CVE
N/A
Tested On
Microsoft Windows XP Professional SP3 (EN)
Summary

Fast web-based server monitoring. Keep an eye on servers, connections, databases, cpu, hard drives and more!

Description

The Anfibia Reactor JS service suffers from a XSS vulnerability when parsing user input to the 'email' parameter via POST method in 'reactor/login.do' script at the manager login interface. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

Proof of Concept
anfibiareactor_xss.htmlTXT
Disclosure Timeline
14.03.2011Vulnerability discovered.
16.03.2011Contact with the vendor.
16.03.2011Vendor replies asking more details.
16.03.2011Sent vulnerability details to vendor.
16.03.2011Vendor confirms XSS issue.
06.04.2011Vendor releases version 3 to address this issue. (http://www.anfibia-soft.com/download/anfibiareactorsetup.exe)
06.04.2011Coordinated public advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://www.anfibia-soft.com/products/reactor/whatsnew.htm
[2]http://www.anfibia-soft.com/products/reactor/help/Introduction/The
[3]http://packetstormsecurity.org/files/100130
[4]http://www.securityfocus.com/bid/47200
[5]http://securityreason.com/wlb_show/WLB-2011040036
[6]http://securityreason.com/exploitalert/10296
[7]http://secunia.com/advisories/44042/
[8]http://xforce.iss.net/xforce/xfdb/66611
[9]http://osvdb.org/show/osvdb/71704
Changelog
06.04.2011Initial release
07.04.2011Added reference [5], [6] and [7]
08.04.2011Added reference [8]
13.04.2011Added reference [9]