← Advisories

Mango Automation 2.6.0 Remote XSS POST Injection Vulnerability

Medium

Advisory ID

ZSL-2015-5257

Release Date

26 September 2015

Vendor

Infinite Automation Systems Inc. - http://www.infiniteautomation.com

Affected Version

2.5.2 and 2.6.0 beta (build 327)

CVE

CVE-2015-6494

Tested On

Microsoft Windows 7 Professional SP1 (EN) 32/64bit, Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit, Jetty(9.2.2.v20140723), Java(TM) SE Runtime Environment (build 1.8.0_51-b16), Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode)

Summary

Mango Automation is a flexible SCADA, HMI And Automation software application that allows you to view, log, graph, animate, alarm, and report on data from sensors, equipment, PLCs, databases, webpages, etc. It is easy, affordable, and open source.

Description

The application is prone to a reflected cross-site scripting vulnerability due to a failure to properly sanitize user-supplied input to the 'username' POST parameter in the 'login.htm' script. Attackers can exploit this issue to execute arbitrary HTML and script code in a user's browser session.

Proof of Concept

mango_xss.txtTXT

Disclosure Timeline

20.08.2015Vulnerability discovered.

25.08.2015Vendor contacted.

25.08.2015Vendor responds giving support e-mail to send details to.

25.08.2015Details sent to the support contact.

27.08.2015Asked vendor for status update.

12.09.2015No reply from the vendor.

13.09.2015Asked vendor for status update.

25.09.2015No reply from the vendor.

26.09.2015Public security advisory released.