PaloAlto Captive Portal XSS Attack

PaloAlto has issued a patch for a XSS attack on the captive portal that I disclosed a few months back. The official advisory can be found here:

https://securityadvisories.paloaltonetworks.com/Home/Detail/66
(Detail taken from https://securityadvisories.paloaltonetworks.com/)

The attack has been given a CVSS score of 6.1:

selection_130
(Screenshot taken from IBM X-Force: https://exchange.xforce.ibmcloud.com/vulnerabilities/118524)

Below follows the original report submitted to PaloAlto along with sample exploit code:

Version: PANOS 7.0.5

Summary: XSS issue in HTML used for the user login portal. An attacker can run arbitrary javascript by manipulating the username field. See attached screenshot

Steps to Reproduce:

  1. Setup plain vanilla, standard HTTP captive portal, using the web form option
  2. A user will be presented with the default captive portal.
  3. As a username, enter something like (including all quotes):

“;alert (‘i can steal your cookies’);var test=”

  1. Alert is shown (see screenshot below)

 

gc5vrnjgv4gjmahycrzkscau-bqwtinhxfbftik2rbpfgfi_mb1ce_k6usyepimaw6aizuebpp_y07is9pd_kz9uqtz_ihevtq4dcfm8o1kdpt6lmsb4abscipfgrume7h3pncoy

https://docs.google.com/document/d/1ySL-Md2d2p9oDIHsFU-WRpyTqbHZOKkWW-VDFmEQiWY/pub