# Exploit Title: Multiple vulnerabilities in SynTail 1.5 Build 566 (CSRF/Stored XSS) # Date: 07-05-2015 # Exploit Author: Marlow Tannhauser # Contact: marlowtannhauser@gmail.com # Vendor Homepage: http://www.synametrics.com # Software Link: http://web.synametrics.com/SynTailDownload.htm # Version: 1.5 Build 566. Earlier versions may also be affected. # CVE: 2015-3140 # Category: Web apps # DISCLOSURE TIMELINE # 08/02/2015: Initial disclosure to vendor and CERT 09/02/2015: Acknowledgment of vulnerabilities from vendor 11/02/2015: Disclosure deadline of 01/03/2015 agreed with vendor 19/02/2015: Disclosure deadline renegotiated to 01/04/2015 at vendor's request 09/04/2015: Disclosure deadline renegotiated to 20/04/2015 at vendor's request 20/04/2015: Confirmation of fix from vendor 07/05/2015: Disclosure Note that the CVE-ID is for the CSRF vulnerability only. No CVE-ID has been generated for the stored XSS vulnerabilities. The vulnerable version of the product is no longer available for download from the vendor's webpage. # EXPLOIT DESCRIPTION # SynTail 1.5 Build 566 is vulnerable to CSRF attacks, which can also be combined with stored XSS attacks (authenticated administrators only). The JSESSIONID created when a user logs on to the system is persistent and does not change across requests. # POC 1 # The following PoC uses the CSRF vulnerability to create a new file bundle, and combines it with one of the stored XSS vulnerabilities
# POC 2 # The following PoC uses the CSRF vulnerability to create a new user with the details shown
# STORED XSS VULNERABILITIES # Stored XSS vulnerabilities are present in the following fields: Manage Users > Create a new user > Full name field and Email field Example URL: POST request Manage file bundles > Create a new file bundle > Friendly name field and File path field Example URL: POST request # MITIGATION # Upgrade to the latest build of SynTail, available from the link shown.