When making a request to the acknow.php web page the "backurl" parameter is populated with a value but never checked to ensure it hasn't changed (think integrity checking here). By editing the "backurl" parameter and closing the JavaScript tag it is a part of you can complete a block of code. Notice the underlined bit in red...this closing tag allows us to end one code block and then create our own injecting the XSS script. Here is the initial web page:
You can go ahead and insert any text in the message field it is irrelevant. Use a proxy to capture the request and manipulate the "backurl" parameter:
The resulting web page should show you the XSS attack results:
I'm going to have to keep hunting to see if I can find anything else amiss in Zabbix ;-)
0 comments:
Post a Comment