Tuesday, September 16, 2014

LISTSERV 15.5 Persistent XSS

During an external penetration test for a client, I came across a LISTSERV 15.5 Lite server. 

Account creation was trivial, and upon authentication I began snooping around.  There are a few CVE's floating around out there (old), but I couldn't get anything to pop.  Input was either encoded, filtered, or escaped and it seemed that the application was doing an adequate job. 

Within the "Preferences" section, I found the "Report Preferences" section.

Under this section, a setting for "Lists and Subscribers Displayed:"


The parameter "1" stored input unfiltered:



I moved to a somewhat better proof of concept - a lame alert box:



I noticed that the value was passed through a GET request in the URL!  Wow!


As you can imagine, this is a pretty devastating finding.  Stored XSS, by passing a crafted Javascript to the "1" parameter through a URL. 

This URL can be sent to anybody (authenticated or unauthenticated).  LISTSERV will have them either login, or create an account.  And, will then (upon authentication) pass the parameter back to the application and not only instantly execute the arbitrary javascript, but store that javascript in their profile!

Currently, no CVE's exist for this LISTSERV Persistent XSS flaw.