I found out that was possible to run a XSPA [Cross Site Port Attacks] using Avatar URL option on any registered community profile.
XSPA allows attackers to abuse available functionality in most web applications to port scan intranet and external Internet facing servers.
An application is vulnerable to Cross Site Port Attacks if the application processes user supplied URLs and does not verify/sanitize the backend response received from the server.
Proof-of-concept:
In this type of attack I always use Nmap testing machine – scanme.nmap.org to check what ports are open on the server.
Using Nmap on my operating system I tested 3 ports on scanme.nmap.org:
80/tcp open http
81/tcp closed http
443/tcp closed https
I now entered the following external URL on my Avatar web option – https://community.arubanetworks.com/t5/user/myprofilepage/tab/user-icons%3Aexternal:
http://scanme.nmap.org:80/
No server error.
I modified it to:
http://scanme.nmap.org:81/
And after to:
http://scanme.nmap.org:443/
The following errors were returned on the server:
http://scanme.nmap.org:81 – GET http://scanme.nmap.org:81/ net::ERR_CONNECTION_REFUSED
http://scanme.nmap.org:443 – GET http://scanme.nmap.org:443/ net::ERR_CONNECTION_REFUSED
You can even check that the port is stored in the avatar HTML:
[code lang=”html”]<img id="display" class="lia-user-avatar-message" title="dsopas" src="http://scanme.nmap.org:443/" alt="dsopas" />[/code]
Aruba security team already fixed this issue so I decided to share with you guys.