Anfibia Reactor 2.1.1 (login.do) Remote XSS POST Injection Vulnerability

Title: Anfibia Reactor 2.1.1 (login.do) Remote XSS POST Injection Vulnerability
Advisory ID: ZSL-2011-5008
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (2/5)
Release Date: 06.04.2011
Summary
Fast web-based server monitoring. Keep an eye on servers, connections, databases, cpu, hard drives and more!
Description
The Anfibia Reactor JS service suffers from a XSS vulnerability when parsing user input to the 'email' parameter via POST method in 'reactor/login.do' script at the manager login interface. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.
Vendor
Anfibia Software - http://www.anfibia-soft.com
Affected Version
2.1.1.12
Tested On
Microsoft Windows XP Professional SP3 (EN)
Vendor Status
[14.03.2011] Vulnerability discovered.
[16.03.2011] Contact with the vendor.
[16.03.2011] Vendor replies asking more details.
[16.03.2011] Sent vulnerability details to vendor.
[16.03.2011] Vendor confirms XSS issue.
[06.04.2011] Vendor releases version 3 to address this issue. (http://www.anfibia-soft.com/download/anfibiareactorsetup.exe)
[06.04.2011] Coordinated public advisory released.
PoC
anfibiareactor_xss.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.anfibia-soft.com/products/reactor/whatsnew.htm
[2] http://www.anfibia-soft.com/products/reactor/help/Introduction/The New Anfibia reactor.htm
[3] http://packetstormsecurity.org/files/100130
[4] http://www.securityfocus.com/bid/47200
[5] http://securityreason.com/wlb_show/WLB-2011040036
[6] http://securityreason.com/exploitalert/10296
[7] http://secunia.com/advisories/44042/
[8] http://xforce.iss.net/xforce/xfdb/66611
[9] http://osvdb.org/show/osvdb/71704
Changelog
[06.04.2011] - Initial release
[07.04.2011] - Added reference [5], [6] and [7]
[08.04.2011] - Added reference [8]
[13.04.2011] - Added reference [9]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk