Fvega1
commented
2 years ago Hi Daniel,
Thanks for pointing this out.
Fortunately this was fixed in v3.0 by introducing CSP directives to VirtualUI. These are now handled in a file inside the installation folder.
Please, let me know if you find anything else.
Dear Cybele Software,
My name is Daniel Morales, from the IT Security Team of ARHS Spikeseed.
I recently found a functionality in Thinfinity VirtualUI that could allow to a malicious actor to perform social engineering attacks such as phishing via the directory /lab.html reachable by default.
How it works By accessing the following payload (URL) an attacker could iframe any external website (of course, only external endpoints that allows being iframed). The impact is a good phishing.
Payload The vulnerable vector is "https://example.com/lab.html?vpath=//wikipedia.com " where "vpath=//" is the pointer to the external site to be iframed.
Vulnerable versions It has been tested in VirtualUI version 2.1.37.2, 2.1.42.2, 2.5.0.0, 2.5.36.1, 2.5.36.2 and 2.5.41.0.