lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20150204134449.GA18837@komma-nix.de>
Date: Wed, 4 Feb 2015 14:44:49 +0100
From: Michael Meyer <micha@...ma-nix.de>
To: bugtraq@...urityfocus.com
Subject: Re: CVE-2015-1437  XSS In ASUS Router.

*** kingkaustubh@...com wrote:
> #####################################
> Title:-   Reflected XSS vulnarbility in Asus RT-N10 Plus router
> Author:   Kaustubh G. Padwad
> Product:  ASUS Router RT-N10 Plus
> Firmware: 2.1.1.1.70
> Severity: HIGH
> Auth:     Not requierd
> CVE ID:   CVE-2015-1437
> # Description:
> Vulnerable Parameter: flag=
> # Vulnerability Class:
> Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS))

[...]

> Enter this URL
> 1.http://router/error_page.htm?flag=initial78846%27%3balert(document.lastmodified)%2f%2f372137b5d
> 2.http://router/error_page.htm?flag=initial78846%27%3balert("Hacked_BY_S3curity_B3ast")%2f%2f372137b5d

https://sintonen.fi/advisories/asus-router-auth-bypass.txt

Micha

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ