SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Device (Router/Bridge/Hub)  >   2Wire Gateway Vendors:   2Wire, Inc.
2Wire Gatway Input Validation Flaw Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1008798
SecurityTracker URL:  http://securitytracker.com/id/1008798
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 21 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information


Description:   An input validation vulnerability was reported in the 2Wire Gateway. A remote user can conduct cross-site scripting attacks against administrators.

Rafel Ivgi (The-Insider) reported that a remote user can modify the SSL-based authentication web form's action parameter to cause commands or scripting code to be executed when the form is loaded.

A demonstration action value is provided:

http://[target]/wra/public/wralogin/?error=61&return=password/../../../../boot.ini

It appears that a remote user can create a specially crafted form that, when loaded by a target administrator, will cause arbitrary scripting code to be executed by the target administrator's browser. The code will originate from the 2Wire Gateway device and will run in the security context of that site. As a result, the code may be able to access the target administrator's cookies (including authentication cookies), if any, associated with the device, access data recently submitted by the target administrator via web form to the device, or take actions on the device acting as the target administrator.

Impact:   A remote user may be able to access the target administrator's cookies (including authentication cookies), if any, associated with the device, access data recently submitted by the target administrator via web form to the device, or take actions on the device acting as the target administrator.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.2wire.com/ (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  2Wire-Gateway Cross Site Scripting and Directory Transversal bug in SSL Form


#######################################################################

Application:    2Wire-Gateway/WebGateway
Vendor:           http://www.2wire.com
Versions:        All
Platforms:       Windows
Bug:          Cross Site Scripting and Directory traversal bug in SSL Form
Authentification
Risk:                high
Exploitation:   Remote with browser
Date:               25 Dec 2003
Author:            Rafel Ivgi, The-Insider
e-mail:             the_insider@mail.com
web:                http://theinsider.deep-ice.com

#######################################################################

1) Introduction
2) Bug
3) The Code

#######################################################################

===============
1) Introduction
===============

2Wire is a communication company that sells internet and network related
devices, such
as routers. 2Wire most common routers webserver is "2Wire-Gateway". It
includes a SSL
(Secure Sockets Layer) form authentification.


#######################################################################

======
2) Bug
======

The SSL (Secure Sockets Layer) form authentification has a XSS(Cross Site
Scripting)
that allows an attacker to change the forms action parameters. An attacker
is able to inject script
and urls into the forms action an by that Transverse Directories on the
server.
This allows him to see and download any file in the remote system knowing
the path.
How ever exploiting this vulnerabillity is very hard because the attacker
has to connect
to the target through the browser and accept the SSL connection , exploit is
very hard to reproduce.

#######################################################################

===========
3) The Code
===========

<form name="wralogin" method="get"
action="http://<host>/wra/public/wralogin/?error=61&return=password/../../..
/../boot.ini">
<input type="hidden" name="authcode" value="MUQmqC/sBiXfslfYEooIJg==">
<center>
<input type="password" name="password" value="">
<input type="submit" alt="Submit" width="58" height="19" border="0"></td>
</form>
</body>
</html>

#######################################################################

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Things that are unlikeable, are NOT impossible."

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2018, SecurityGlobal.net LLC