Ajenti 1.2.13 Cross Site Scripting

1. # Exploit Title: Ajenti - Stored (Persistent) Cross Site Scripting Vulnerability
2. # Date: 16/01/2014
3. # Exploit Author: projectzero labs
4. # Vendor Homepage: http://www.ajenti.org
5. # Vendor Informed: 14/01/2014
6. # Software Link: http://www.ajenti.org
7. # Version: 1.2.13
8. # Tested on: Kali Linux / Iceweasel v.22
9.  
10. About the software:
11. ===================
12.  
13. Ajenti is a server administration panel for Linux and FreeBSD.
14.  
15.  
16. Vulnerability Details:
17. ======================
18.  
19. projectzero labs identified a stored (persistent) cross site scripting vulnerability that affects many of
20. the forms in the ajenti web panel.
21.  
22. The vulnerability exists because some data inputs are not properly sanitized and this can lead to
23. malicious code injection that will be executed on the target's browser.
24.  
25.  
26. Report & Proof Of Concept:
27. ==========================
28.  
29. A detailed report with screenshots as Proof Of Concept can be found in the software's bug tracker (Github):
30.  
31. https://github.com/Eugeny/ajenti/issues/233
32.  
33. Vendor has already informed and committed a quick patch:
34. https://github.com/Eugeny/ajenti/commit/3270fd1d78391bb847b4c9ce37cf921f485b1310
35.  
36.  
37. Payload:
38. ========
39.  
40. As payloads we tested the classic alert popup and the url redirection to google:
41.  
42. <script>alert("XSS");</script>
43. <script>window.location = "http://google.com"</script>
44.  
45. For example a vulnerable form is the: System > Cron > Command field
46. For more information there are some screenshots available in the github bug report
47.  
48.  
49. Severity:
50. =========
51. Medium
52.  
53.  
54. Credits:
55. ========
56.  
57. projectzero labs
58.  
59. labs@projectzero.gr
60. http://www.projectzero.gr