Persistent HTML Injection/XSS in Netgear VMDG480 Routers
----------------------------------------------------------

This vulnerability requires the user to be logged in as the administrator. The vulnerability exists in the RgFirewallEL.asp page of the router and is typically accessible within a LAN from http://192.168.0.1/RgFirewallEL.asp, it may also be accessed remotely if remote administration is enabled, typically on port 8080.

By POST'ing correctly structured HTML/Javascript in the 'EmailAddress' parameter's value (after loose client side javascript 'validation') the POST'ed HTML/Javascript is persistently injected into the 'Logs' (RgFirewallEL.asp) page.

Proof of concept:

After logging in as 'admin' (default password 'changeme'), fill in the fields.

use Tamper Data Firefox add-on, or a similar tool to change the POST value of the 'EmailAddress' parameter to something like.

''></td><script>javascript:alert('pwned by xss!')</script

your HTML Injection/XSS will popup an alert box.