exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Linksys WAP54Gv3 debug.cgi Cross Site Scripting

Linksys WAP54Gv3 debug.cgi Cross Site Scripting
Posted Jun 25, 2010
Authored by Cristofaro Mune | Site icysilence.org

The Linksys WAP54Gv3 suffers from a cross site scripting vulnerability in debug.cgi.

tags | exploit, cgi, xss
SHA-256 | 294313708cbc83d56122cedaf08f5a02cddf5080987bfeafe6d1d13f7fe35f20

Linksys WAP54Gv3 debug.cgi Cross Site Scripting

Change Mirror Download
Security Advisory

IS-2010-003 - Linksys WAP54Gv3 debug.cgi Cross-Site Scripting



Advisory Information
--------------------
Published (dd/mm/yy):
23/06/2010

Updated (dd/mm/yy):
23/06/2010

Manufacturer: Linksys
Model: WAP54G
Hardware version: v3.x
Firmware version: ver.3.05.03 (Europe)
ver.3.04.03 (US)



Vulnerability Details
---------------------
Class:
Cross-Site Scripting


Public References:
Not Assigned


Platform:
Successfully tested on Linksys WAP54Gv3 loaded with firmware version
Ver.3.05.03 (Europe)
Vulnerability present also on firmware ver.3.04.03 (US)
Other models and/or firmware versions may be also affected.


Background Information:
Linksys WAP54G is a wireless access points that allow wireless clients
connectivity to wired networks.
Supported 802.11b and 802.11g protocols, with data rates up to 54Mbit/s.


Summary:
A cross-site scripting vulnerability is present in the debug.cgi page,
that is accessible by using proper debug credentials


Details:
The debug.cgi page act as debug interface for the Linksys WAP54Gv3 and
is accessible by authenticating with proper debug credentials at the
following URL:

http://AP_IP_ADDR/debug.cgi

where AP_IP_ADDR is the IP address of the device.

Commands to be executed by the system are sent within the data1 POST
variable, while the command output is returned within a <textarea> tag
in the output html page.
Output is not sanitized in any way, allowing for a Cross-site scripting
condition that can be triggered by any command that includes a
</textarea> closing tag in its output.
Additional text following such tag will be interpreted as regular HTML
by the accessing user browser, allowing for injection of Javascript
code, that will be run in the context of the presented web page.


Proof of Concept:
echo "</textarea><script>alert('XSS');</script>"


Impacts:
The vulnerability may allow an attacker to access the output of commands
during a "Remote blind" attack, where malicious web pages are used by
the attacker over the Internet to execute code on a victim access point
with private addressing, by leveraging an user browser as a 3rd party
"reflector".
This would also allow an attacker to extract information and
configuration stored on devices that are not even able to access the
Internet (eg: firewall policy, gateway not configured)



Solutions & Workaround:
Not available



Additional Information
----------------------
Timeline (dd/mm/yy):
09/11/2009: Requested Point of Contact to Linksys
10/11/2009: Received Point of Contact
10/11/2009: Vulnerability details sent
12/11/2009: Received clarification request on firmware version
12/11/2009: Additional details sent
16/01/2010: Requested update on vulnerability status.
----------- No update received -----------
23/06/2010: This advisory


Additional information available at http://www.icysilence.org


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close