lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050117011323.94c6f200@mail.kurczaba.com>
From: advisories at securinews.com (Paul Kurczaba)
Subject: Multiple Vulnerabilities in Netgear FVS318 Router

Multiple Vulnerabilities in Netgear FVS318 Router

http://www.securinews.com/vuln.htm?vulnid=103
-------------------------------------------------

Overview:
The Netgear FVS318 is an easy to use, firewall/router designed for home users and small businesses. SecuriNews Research has found 2 vulnerabilities in the router.


Vendor:
Netgear (http://www.netgear.com)


Affected Systems/Configuration:
2.4, possibly others


Vulnerabilities/Exploits:

1) By using HEX encoded characters, it is possible to bypass the URL filter. For example, if the router administrator blocks the phrase ".exe"; a user can encode one or more characters in the URL phrase to bypass the filter. If we encode the 'x' in ".exe", the new phrase ".e%78e" will bypass the filter.

2) The content filter/log viewer contains a Cross Site Scripting vulnerability. When a user tries to access a blocked URL phrase, it is logged in the Security Log. If a user were to inject JavaScript into a blocked URL phrase, the JavaScript would be executed by the admin's browser when the security log is viewed.


Proof of Concept:

1) Example above.

2) If the router administrator has blocked the URL phrase ".exe", a user can inject JavaScript as follows:

http://www.example.com/somefile.exe</textarea><script>alert('XSS')</script>

Note: The string "</textarea>" must be added before the injected JavaScript, as the security log is placed in a text area.


Workaround:
None.


Date Discovered:
January 14, 2005


Severity:
Low-Medium


Credit:
SecuriNews Research
http://www.securinews.com/



Powered by blists - more mailing lists