You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Cross Site Scripting (XSS) vulnerability in Netgear Router Firmware Version 1.0.0.24. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies. This means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.
28/10/2015 – Discovered in Netgear Router Firmware Version 1.0.0.24
28/10//2015 - Reported to vendor through support option but, no response
30/10//2015 - Reported to vendor through another support option available here. But, again no response.
03/11/2015 - Finally, Technical Team started addressing about the issue after so many followups through phone/mail.
13/12/2015 - Vulnerability got fixed & case was closed.
30/12/2015 - Netgear Released updated version 1.0.0.32
Details
Product Vendor: Netgear
Bug Name: Cross Site Scripting in Netgear Router Version 1.0.0.24
Software: Netgear Router Firmware
Version: 1.0.0.24
Last Updated: 10-06-2015
Homepage: http://netgear.com/
Severity High
Vulnerable URL: http://router-ip/cgi-bin/webproc?getpage=html/page.htm&var:page=RST_status&var:menu=advanced&t=1445843230593
Vulnerable Variable: getpage, var:page & var:menu
Parameter: GET
Status: Fixed
Exploitation Requires Authentication?: no
POC URL: https://www.youtube.com/watch?v=ITLg-uL68CU&index=7&list=PLrTr4Cobqhhw-72HKFFuwgBu6gXJSmeoT
Description
Cross Site Scripting (XSS) vulnerability in Netgear Router Firmware Version 1.0.0.24. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies. This means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.
Proof of concept: (POC)
Inject the malicious JavaScript code
”></scripT><scripT>alert(1)</scripT>
in thegetpage variable in the URL http://router-ip/cgi-bin/webproc?getpage=html/page.htm&var:page=RST_status&var:menu=advanced&t=1445843230593 and viewing it on browser will result in execution of Cross Site Scripting (XSS)Note: Similarly, var:page & var:menu variable is also injected with malicious JavaScript payload and use it as a vehicle for further attack.
Issue 1:
The GET request parameter getpage variable in the following URL http://router-ip/cgi-bin/webproc?getpage=html/page.htm&var:page=RST_status&var:menu=advanced&t=1445843230593 is vulnerable to Cross Site Scripting (XSS).
Figure 1: XSS Payload injected to getpage variable and its echoed back in the given response URL http://router-ip/cgi-bin/webproc?getpage=html/page.htm&var:page=RST_status&var:menu=advanced&t=1445843230593
Figure 2: XSS Payload gets reflected in the browser
Issue 2:
The GET request parameter var:page variable in the following URL http://router-ip/cgi-bin/webproc?getpage=html/page.htm&var:page=RST_status&var:menu=advanced&t=1445843230593 is vulnerable to Cross Site Scripting (XSS).
Figure 3: XSS Payload injected to var:page variable and its echoed back in the given response URL http://router-ip/cgi-bin/webproc?getpage=html/page.htm&var:page=RST_status&var:menu=advanced&t=1445843230593
Issue 3:
The GET request parameter var:menu variable in the following URL http://router-ip/cgi-bin/webproc?getpage=html/page.htm&var:page=RST_status&var:menu=advanced&t=1445843230593 is vulnerable to Cross Site Scripting (XSS).
Figure 4: XSS Payload injected to var:menu variable and its echoed back in the given response URL http://router-ip/cgi-bin/webproc?getpage=html/page.htm&var:page=RST_status&var:menu=advanced&t=1445843230593
Timeline
28/10/2015 – Discovered in Netgear Router Firmware Version 1.0.0.24
28/10//2015 - Reported to vendor through support option but, no response
30/10//2015 - Reported to vendor through another support option available here. But, again no response.
03/11/2015 - Finally, Technical Team started addressing about the issue after so many followups through phone/mail.
13/12/2015 - Vulnerability got fixed & case was closed.
30/12/2015 - Netgear Released updated version 1.0.0.32
Discovered by:
Sathish from Cyber Security Works Pvt Ltd
The text was updated successfully, but these errors were encountered: