[ISecAuditors Security Advisories] Reflected XSS in Asteriskguru Queue Statistics

[ISecAuditors Security Advisories <advisories () isecauditors com>]

=============================================
INTERNET SECURITY AUDITORS ALERT 2013-002
- Original release date: January 22nd, 2013
- Last revised:  March 10th, 2013
- Discovered by: Manuel Garcia Cardenas
- Severity: 4,8/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
Reflected XSS in Asteriskguru Queue Statistics.

II. BACKGROUND
-------------------------
The Asteriskguru Queue Statistics, is a PHP based program, which gives
anyone who uses queues or CDRs overview in Asterisk a deep insight in
the quality of the service which is delivered to their customers. It
is fully developed by the Asteriskguru developers.

III. DESCRIPTION
-------------------------
Has been detected a reflected XSS vulnerability in Asteriskguru Queue
Statistics , that allows the execution of arbitrary HTML/script code
to be executed in the context of the victim user's browser.

The code injection is done through the parameter warning in the page
error.php.

IV. PROOF OF CONCEPT
-------------------------
Malicious Request:
http://vulnerablesite.com/public/error.php?warning=<XSS injection>

Example:
http://vulnerablesite.com/public/error.php?warning=<script>alert("XSS")</script>

V. BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a targeted
user's browser, this can leverage to steal sensitive information as
user credentials, personal data, etc.

VI. SYSTEMS AFFECTED
-------------------------
All Versions of Asteriskguru Queue Statistics.

VII. SOLUTION
-------------------------
All data received by the application and can be modified by the user,
before making any kind of transaction with them must be validated.

VIII. REFERENCES
-------------------------
http://www.asteriskguru.com/tools/queue_stats.php
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Manuel Garcia Cardenas (mgarcia (at) isecauditors (dot) com).

X. REVISION HISTORY
------------------------
January   22, 2013: Initial release

XI. DISCLOSURE TIMELINE
-------------------------
January 22, 2013:   Vulnerability acquired by
                    Internet Security Auditors (www.isecauditors.com)
January - February: Attempts to contact someone managing
                    the project without answer.
March   10, 2013:   Send to lists.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

XIII. ABOUT
-------------------------
Internet Security Auditors is a Spain based leader in web application
testing, network security, penetration testing, security compliance
implementation and assessing. Our clients include some of the largest
companies in areas such as finance, telecommunications, insurance,
ITC, etc. We are vendor independent provider with a deep expertise
since 2001. Our efforts in R&D include vulnerability research, open
security project collaboration and whitepapers, presentations and
security events participation and promotion. For further information
regarding our security services, contact us.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/