Last active
May 18, 2020 04:28
-
-
Save farid007/8855031bad0e497264e4879efb5bc9f8 to your computer and use it in GitHub Desktop.
Rconfig 3.9.4 Session Fixation and XSS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1. Cross-Site Scripting (XSS) (CVE-2020-12256) | |
The rConfig 3.9.4 is vulnerable to cross-site scripting. The devicemgmnt.php file improperly validates the request coming from the user input. Due to this flaw, An attacker can exploit this vulnerability by crafting arbitrary javascript | |
("><script>alert(document.cookie)</script>) in `deviceId` GET parameter of devicemgmnt.php resulting in execution of the | |
javascript. | |
Step To Reproduce-: | |
1. Login with the credential. | |
2. Go to https://ip-rconfig/devicemgmt.php?deviceId="><script>alert(document.cookie)</script> | |
2. Cross-Site Scripting (XSS) (CVE-2020-12259) | |
The rConfig 3.9.4 is vulnerable to cross-site scripting. The configDevice.php file improperly validates the request coming from the user input. Due to this flaw, An attacker can exploit this vulnerability by crafting arbitrary javascript | |
("><script>alert(document.cookie)</script>) in `rid` GET parameter of devicemgmnt.php resulting in execution of the javascript. | |
Steps To Reproduce-: | |
1. Go to https://ip-rconfig/configDevice.php?rid="><script>alert(document.cookie)</script> | |
1. Session Fixation (CVE-2020-12258) | |
The rConfig is vulnerable to session fixation. Due to the lack of randomization of the session and reuse session(prior login, after login). | |
An attacker can exploit this vulnerability by chaining with XSS.he can set the user session and would take control of the user's account. | |
Steps To Reproduce-: | |
1. you can confirm the same session by checking prior login and after logging | |
2. Now try to trigger the XSS by setting the session | |
(https://ip-rconfig/configDevice.php?rid="><script>document.cookie="PHPSESSID=123456789"</script>). | |
3. you can observe that session id has been set as of our choice. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment