Created
January 3, 2021 19:17
-
-
Save alacerda/380b8923e36a29a02ba1457c1eb3ec2f to your computer and use it in GitHub Desktop.
Mk-Auth User Impersonation Via Reflected XSS and Unprotected Session Cookie
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Mk-Auth User Impersonation Via Reflected XSS and Unprotected Session Cookie | |
Product Description: | |
Mk-Auth is a Brazilian Management System for Internet Service Providers used to control client access and permissions via a web interface panel. | |
Vulnerability Description: | |
It is possible to steal and reuse an admin session token by abusing a reflected XSS and an unprotected cookie. | |
Additional Information: | |
The session token (centralmka2) does not have the HTTPOnly flag set what allows a javascript code to read its content. In addition to that, the parameter “registro” of the “logs_ajax.php” page is vulnerable to reflected XSS which allows an attacker to take advantage of the misconfigured cookie. See below an example of a malicious request: | |
http://<mkserver>/admin/logs_ajax.php?registro=0&tipo=todos%27%3balert(document.cookie)%2f%2f | |
Vulnerability Type: | |
CWE-79: Improper Neutralization of Input During Web Page Generation | |
CWE-1004: Sensitive Cookie Without ‘HTTPOnly’ Flag | |
Vendor: | |
Mk-Auth | |
Affected Product: | |
MK-Auth 19.01 :: K4.9 | |
Probably previous are also affected | |
Affected Component: | |
Admin: Logs | |
Attack Vector: | |
Remote | |
Code Execution: | |
No | |
Attack Vector: | |
A logged administrator or support user must click on a malicious link. | |
Reference: | |
http://mk-auth.com.br/ | |
Discoverer: | |
Alan Lacerda (alacerda) | alacerda[at]intruderlabs.com.br | |
Filipe Cordeiro (sknux) | c_sfilipe[at]outlook.com |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment