CVE-2018-6603 – PROMISE TECHNOLOGY WEBPAM PRO-E HTTP RESPONSE HEADER INJECTION/XSS

A vulnerability is a mistake, exposure, misconfiguration or weakness in software code or systems that can allow an attacker to compromise, access, damage or otherwise perform unintended actions on an affected system or network.

DFDR continually researches systems and software to expose vulnerabilities and encourages organizations to improve their security through disclosure and coordination. Research findings and exposures are disclosed publicly for the purposes of public awareness and remediation. Vendors and clients are typically made aware of these issues when discovered, coordinating on public disclosure when appropriate.

Many of these are discovered during the course of an engagement with our clients. DFDR’s security team regularly performs penetration tests, web application assessments and security review for a wide range of industries, clientele and organizations. Results of these assessments are vetted and findings are confidential.

Public disclosure typically takes place when a third-party component is publicly distributed, affects a large number of organizations and the discovery or exploit has been communicated to the affected organization. Direct engagement results and findings are not released unless the affected organization requests it.

# Exploit Title: Promise Technology WebPam Pro-E HTTP Response Header Injection/XSS
# Date: 1/31/18
# Exploit Author: Ken Pyle, DFDR Consulting
# consult@dfdrconsulting.com
# Vendor Homepage: http://www.promise.com
#
# Version: WebPam Pro-E webapplication
# Tested on: N/A
# CVE : CVE-2018-6603
This vulnerability has been reference checked.

This configuration was identical across all systems tested.

The PHPSESSID cookie fails to sanitize parameters, resulting in an HTTP Response Splitting / CRLF Injection

Affected pages:

/
/index.php

Affected Cookie:
PHPSESSID

Example/PoC:

Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: language=en_US; PHPSESSID=TESTINJECTION%0d%0a%0d%0a(script injection here)
Connection: close
Upgrade-Insecure-Requests: 1

This example will result in a script popup/XSS vulnerability. This injection can be used for a number of attacks, including information exposure, leakage of tokens, client-side code execution and other vectors. Attacks of this nature can also be used to poison proxy caches, infecting multiple users requesting the resource through a proxy.

Remediation:

Apply vendor patch when available.

Vulnerability Discovered: 1/30/18

Vendor Notified: 2/2/18

Website: www.dfdrconsulting.com

This vulnerability was discovered by consult@dfdrconsulting.com. Please credit the author in all references to this exploit.