lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAMWaY3MKB9vuD4prt-Afv9PpNhcM0UGuycd66EpjVX685f97+Q@mail.gmail.com>
Date: Mon, 11 Jan 2016 16:41:26 +0530
From: CSW Research Lab <disclose@...ersecurityworks.com>
To: cve-assign@...re.org, oss-security@...ts.openwall.com
Cc: fulldisclosure@...lists.org, submissions@...ketstormsecurity.com,
 fulldisclosure-request@...lists.org, bugs@...uritytracker.com,
 packet@...ketstormsecurity.com
Subject: [FD] Cross Site Request Forgery in Netgear Router JNR1010 Version
	1.0.0.24

Hi,

Can you assign CVE id to this flaw?

Details
================

#Product Vendor: Netgear
#Netgear GPL:
http://kb.netgear.com/app/answers/detail/a_id/2649/~/netgear-open-source-code-for-programmers-(gpl)

http://www.gnu.org/licenses/gpl.txt
#Bug Name: Cross Site Request Forgery in Netgear Router JNR1010 Version
1.0.0.24
#Software: Netgear Router JNR1010 Firmware
#Version: 1.0.0.24
#Last Updated: 10-06-2015
<http://kb.netgear.com/app/answers/detail/a_id/29270/~/jnr1010-firmware-version-1.0.0.24>
#Homepage: http://netgear.com/
#Severity High
#Status: Fixed
<http://kb.netgear.com/app/answers/detail/a_id/30177/~/jnr1010-firmware-version-1.0.0.32>

#CVE : not assigned
#POC Video URL: https://www.youtube.com/watch?v=tET-t-3h7TU



Description
================
Using this flaw, an attacker can cause victims to change any data the
victim is allowed to change or perform any function the victim is
authorized to use.

Technical Details
================
Created a forged request changing the value of any variable, here it is
*:InternetGatewayDevice.X_TWSZ-COM_URL_Filter.BlackList.1.URL *variable in
the URL http://router-ip/cgi-bin/webproc and sent it to victim forcing
him/her to click on the malicious link generated by an attacker with
different session allows an attacker to change the settings of the victim’s
router.

For more, also refer -
https://github.com/cybersecurityworks/Disclosed/issues/13

*Note:* Similarly, we can manipulate any request and can force victim to
access the link generated by the attacker to make changes to the router
settings without victim’s knowledge.

Advisory Timeline
================

28/10/2015 - Discovered in Netgear Router JNR1010 Firmware Version 1.0.0.24
28/10//2015 - Reported to vendor through support option but, no response
30/10//2015 - Reported to vendor through another support option available
here <http://support.netgear.com/for_home/default.aspx>. But, again no
response.
03/11/2015 - Finally, Technical Team started addressing about the issue
after so many follow ups through phone/mail.
13/12/2015 - Vulnerability got fixed & case was closed.
30/12/2015 - Netgear Released updated version 1.0.0.32
<http://kb.netgear.com/app/answers/detail/a_id/30177/~/jnr1010-firmware-version-1.0.0.32>

Fix
================
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Credits & Authors
================
Sathish Kumar <sathish@...ersecurityworks.com> from cybersecurityworks Pvt
Ltd <http://www.cybersecurityworks.com/>

About Cybersecurityworks
================
Cybersecurity Works is basically an auditing company passionate working on
findings & reporting security flaws & vulnerabilities on web application
and network. As professionals, we handle each client differently based on
their unique requirements. Visit our website
<http://www.cybersecurityworks.com/> for more information.

-- 
----------
Cheers !!!

Team CSW Research Lab <http://www.cybersecurityworks.com>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ