The attacker bypasses input validation by using doubled characters in
order to perform a cross-site scripting attack. Some filters fail to
recognize dangerous sequences if they are preceded by repeated characters.
For example, by doubling the < before a script command, (<<script
or %3C%3script using URI encoding) the filters of some web applications may
fail to recognize the presence of a script tag. If the targeted server is
vulnerable to this type of bypass, the attacker can create a crafted URL or
other trap to cause a victim to view a page on the targeted server where the
malicious content is executed, as per a normal XSS attack.
Attack Prerequisites
The targeted web application does not fully normalize input before
checking for prohibited syntax. In particular, it must fail to recognize
prohibited methods preceded by certain sequences of repeated
characters.
Resources Required
The attacker must trick the victim into following a crafted link to a
vulnerable server or view a web post where the dangerous commands are
executed.
Solutions and Mitigations
Design: Use libraries and templates that minimize unfiltered input.
Implementation: Normalize, filter and sanitize all user supplied
fields.
Implementation: The victim should configure the browser to minimize active
content from untrusted sources.
The WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22
before 11.22.3 allows remote attackers to bypass XSS protection and
inject arbitrary script or HTML via repeated, improperly-ordered "<"
and ">" characters in the (1) issue parameter to
scripts2/knowlegebase, (2) user parameter to scripts2/changeip, (3)
search parameter to scripts2/listaccts, and other unspecified vectors.
Description
