2013-002: Reflected XSS in Asteriskguru Queue Statistics

Original release date: January 22nd, 2013
Last revised: March 10th, 2013
Discovered by: Manuel García Cardenas
Severity: 4,8/10 (CVSS Base Score)

BACKGROUND

The Asteriskguru Queue Statistics, is a PHP based program, which gives anyone who uses queues or CDRs overview in Asterisk a deep insight in the quality of the service which is delivered to their customers. It is fully developped by the Asteriskguru developpers.

DESCRIPTION

Has been detected a reflected XSS vulnerability in Asteriskguru Queue Statistics , that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser.

The code injection is done through the parameter warning in the page error.php.

PROOF OF CONCEPT 

Malicious Request:

http://vulnerablesite.com/public/error.php?warning=< xss injection >

Example:

http://vulnerablesite.com/public/error.php?warning=< script >alert("XSS")< /script >

BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.

SYSTEMS AFFECTED

All Versions of Asteriskguru Queue Statistics.

SOLUTION

All data received by the application and can be modified by the user, before making any kind of transaction with them must be validated.

REVISION HISTORY

January 22, 2013: Initial release

DISCLOSURE TIMELINE

  • January 22, 2013: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com)
  • January - February: Attempts to contact someone managing the project without answer.
  • March 10, 2013: Send to lists.

REFERENCES

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.