Advantech WebAccess HMI/SCADA 未明跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121486 漏洞类型 跨站脚本
发布时间 2013-01-08 更新时间 2013-08-14
CVE编号 CVE-2013-2299 CNNVD-ID CNNVD-201301-127
漏洞平台 ASP CVSS评分 3.5
|漏洞来源
https://www.exploit-db.com/exploits/23968
https://www.securityfocus.com/bid/57227
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201301-127
|漏洞详情
AdvantechWebAccessHMI/SCADA是研华(Advantech)公司的一套基于浏览器架构的HMI/SCADA软件。该软件支持动态图形显示和实时数据控制,并提供远程控制和管理自动化设备的功能。AdvantechWebAccess(前称BroadWinWebAccess)7.0及之前的版本中存在跨站脚本漏洞。远程经过的授权的攻击者可利用该漏洞注入任意Web脚本或HTML。
|漏洞EXP
##############################################################################
#
# Title    : Advantech WebAccess HMI/SCADA Software Persistence Cross-Site
#            Scripting Vulnerability
# Author   : Antu Sanadi SecPod Technologies (www.secpod.com)
# Vendor   : http://webaccess.advantech.com/
# Advisory : http://secpod.org/blog/?p=569
#	         http://secpod.org/advisories/SecPod_Advantech_WebAccess_Stored_XSS_Vuln.txt
# Software : Advantech WebAccess HMI/SCADA Software 7.0-2012.12.05
# Date     : 08/01/2013
#
###############################################################################

SecPod ID: 1046                                 10/12/2012 Issue Discovered
                                                18/12/2012 Vendor Notified
                                                No Response from vendor
                                                08/01/2013 Advisory Released


Class: Cross-Site Scripting                     Severity: High


Overview:
---------
Advantech WebAccess HMI/SCADA Software Persistence Cross-Site Scripting
Vulnerability.


Technical Description:
----------------------
Advantech WebAccess HMI/SCADA Software Persistence Cross-Site Scripting
Vulnerability.

Input passed via the 'ProjDesc' parameter in 'broadWeb/include/gAddNew.asp'
(when tableName=pProject set) page is not properly verified before it is
returned to the user. This can be exploited to execute arbitrary HTML and
script code in a user's browser session in the context of a vulnerable site.

The vulnerabilities are tested in Advantech WebAccess 7.0-2012.12.05 Other
versions  may also be affected.


Impact:
--------
Successful exploitation will allow a remote authenticated attacker to execute
arbitrary HTML code in a user's browser session in the context of a vulnerable
application.


Affected Software:
------------------
Advantech WebAccess HMI/SCADA Software 7.0-2012.12.05

Tested on Advantech WebAccess HMI/SCADA Software 7.0-2012.12.05 on Windows XP SP3


References:
-----------
http://secpod.org/blog/?p=569
http://webaccess.advantech.com
http://secpod.org/advisories/SecPod_Advantech_WebAccess_Stored_XSS_Vuln.txt


Proof of Concept:
-----------------

1) Login into project management interface 
   http://IP-Address/broadWeb/bwconfig.asp?username=admin
2) Go to http://IP-Address/broadweb/bwproj.asp
3) Create New Project with Project Description as <script>alert("XSS")<script>
4) Now Java script '<script>alert("XSS")<script>' will be executed, 
   when 'bwproj.asp' will be loaded


Solution:
----------
Fix not available


Risk Factor:
-------------
    CVSS Score Report:
        ACCESS_VECTOR          = NETWORK
        ACCESS_COMPLEXITY      = MEDIUM
        AUTHENTICATION         = SINGLE INSTANCE
        CONFIDENTIALITY_IMPACT = NONE
        INTEGRITY_IMPACT       = COMPLETE
        AVAILABILITY_IMPACT    = NONE
        EXPLOITABILITY         = PROOF_OF_CONCEPT
        REMEDIATION_LEVEL      = UNAVAILABLE
        REPORT_CONFIDENCE      = CONFIRMED
        CVSS Base Score        = 6.3 (High) (AV:N/AC:M/Au:SI/C:N/I:C/A:N)


Credits:
--------
Antu Sanadi of SecPod Technologies has been credited with the discovery of this
vulnerability.
|参考资料

来源:ics-cert.us-cert.gov
链接:http://ics-cert.us-cert.gov/advisories/ICSA-13-225-01
来源:BID
名称:57227
链接:http://www.securityfocus.com/bid/57227