============================================= INTERNET SECURITY AUDITORS ALERT 2013-002 - Original release date: January 22nd, 2013 - Last revised: March 10th, 2013 - Discovered by: Manuel Garcia Cardenas - Severity: 4,8/10 (CVSS Base Score) ============================================= I. VULNERABILITY ------------------------- Reflected XSS in Asteriskguru Queue Statistics. II. BACKGROUND ------------------------- The Asteriskguru Queue Statistics, is a PHP based program, which gives anyone who uses queues or CDRs overview in Asterisk a deep insight in the quality of the service which is delivered to their customers. It is fully developed by the Asteriskguru developers. III. DESCRIPTION ------------------------- Has been detected a reflected XSS vulnerability in Asteriskguru Queue Statistics , that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. The code injection is done through the parameter warning in the page error.php. IV. PROOF OF CONCEPT ------------------------- Malicious Request: http://vulnerablesite.com/public/error.php?warning=<XSS injection> Example: http://vulnerablesite.com/public/error.php?warning=<script>alert("XSS")</script> V. BUSINESS IMPACT ------------------------- An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED ------------------------- All Versions of Asteriskguru Queue Statistics. VII. SOLUTION ------------------------- All data received by the application and can be modified by the user, before making any kind of transaction with them must be validated. VIII. REFERENCES ------------------------- http://www.asteriskguru.com/tools/queue_stats.php http://www.isecauditors.com IX. CREDITS ------------------------- This vulnerability has been discovered by Manuel Garcia Cardenas (mgarcia (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------ January 22, 2013: Initial release XI. DISCLOSURE TIMELINE ------------------------- January 22, 2013: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com) January - February: Attempts to contact someone managing the project without answer. March 10, 2013: Send to lists. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information. XIII. ABOUT ------------------------- Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.