Charles River Admin Panel Reflected Cross Site Scripting

About Charles River:

Charles River provides an executable for high profile people which helps them to make decision about investment. It has some automated algorithm which performs the calculation and analysis and help the user to take investment decision.
This executable has an admin panel which is accessible through web browser.

Vulnerability:
The admin website of Charles River is vulnerable to post authentication cross site scripting vulnerability.
The file configPopup.do has parameter "n" which is vulnerable to reflected cross site scripting.

Exploit URL:

domain.com:8081/crts/admin/failover/configPopup.do?n=beanEventPublisher%3cscript%3ealert(1)%3c%2fscript%3e



Solution:
Not yet rolled out

Disclosure Timeline:
August 2018: Informed to Charles River - No reply
December 2018:Reminder mail sent through Contact Us - No reply
January 1 2019: Full disclosure.




Comments

Post a Comment

Popular posts from this blog

Minishare 1.4.1 Bufferoverflow

Image
You can download the server from:
https://www.dropbox.com/s/zhivgb79wtbce37/minishare-1.4.1.exe?dl=0

Exploit code in ruby:
https://www.exploit-db.com/exploits/616/

The vulnerability is a long URL in the GET request.
Eg:- GET AAAAAAAAAAAAAAAA..... HTTP/1.1

Lab Setup: 1) Windows xp ( I am using windows xp sp1)
2) Immunity debugger installed on the windows xp machine.
3) Minishare 1.4.1 installed on windows xp running on port 80.
2) Kali linux for scripting and exploiting.

Configure the victim: I have installed Minishare server 1.4.1 and it is listening for connections on port 80, as depicted below.


Generate Sample script to crash: We will try to smash the stack by sending a buffer of 2000 A's with the help of the following script.

#!/usr/share/python
import socket,sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((sys.argv[1],80))
buff="GET "
buff+="A"*2000
buff+=" HTTP/1.1\r\n\r\n"
s.send(buff)
s.close()


Execute the exploit.It is observed t…
Read more

MY OSCP REVIEW

Image
MY OSCP REVIEW
About me I am just a guy who has done B.E (Computer Engineering), C.E.H and I am doing vulnerability assessment for different clients in Mumbai.

Inspiration to do OSCP Wanted to read technical stuff only then skip this para. Like other guyz I thought that OSCP is one of the most difficult task in the world of IT Security.
And yes, it is one the difficult mission you could ever face. Back in Dec 2014 I was really bored with the conventional vulnerability assessment thing, I wanted to do some more exploitation and some black hat stuff. But in our job we were not allowed to do so, as the environment used to be critical most of the time and time for completing the task was less.
So I asked few question on some group in facebook regarding How can I learn more exploitation stuff.
There was a guy with the name Mr.WhiteW0rm who have given me a brilliant answer and recommended me to do OSCP. That time I thought though I won't be able to do OSCP but at least I'll study in i…
Read more

Apache AXIS server pentest

Image
In one of my pentest engagement the scope was to test  a website abc.com/xyz/pqr.html and its mobile application.
The website seems to be stronger and I was not able to find any vulnerability. So I switched to mobile application.
When I was testing the mobile application, I was doing code analysis and found a URL in the code which was invoking a web service. The URL is as follows.

https://abc.com/InstaWebServices/services/VersionCheck


Read more