Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Thomson SpeedTouch 500 modems vulnerable to XSS

from [preben] Network Security [Permanent Link]
Subject: Thomson SpeedTouch 500 modems vulnerable to XSS
Date: 26 Feb 2006 12:53:12 -0000 

TITLE:
Thomson SpeedTouch 500 series vulnerable to XSS

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting

SOFTWARE:
SpeedTouch 5.3.2.6.0

DESCRIPTION:
There consists a vulnerability in the SpeedTouch modems, which
can be exploited by malicious people to conduct cross-site scripting
attacks, and make a counseled user

Input passed to the LocalNetwork page isn't properly sanitized before being 
returned to the user. This can be exploited to execute arbitrary HTML and 
script code in a user's browser session in context of an affected site.

Such code can also be added through a proxy, because user validation
is only done by JavaScript. If a user is made with injected scripting code
this user will become un-delete able if the code is crafted correctly.


PoC #1 - XSS

http://[host]/cgi/b/intfs/_intf_/ov/?ce=1&be=0&l0=3&l1=1&name=[code here]

PoC #2 - Stealthy user (through proxy)

0=10&1=usrAccApply&34=NewUser&36=1&33=test&31=[code here]



SOLUTION:
Check vendor's site for firmware upgrade.
As of this writing, none is available 

PROVIDED AND DISCOVERED BY:
Preben Nyløkken
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Thomson SpeedTouch 500 modems vulnerable to XSS, preben <=
Previous by Date:  Archangel Weblog 0.90.02 Admin Authentication Bypass & Remote File Inclusion, kingofska
Next by Date:  [eVuln] Quirex Arbitrary File Disclosure Vulnerability, alex
Previous by Thread:  Archangel Weblog 0.90.02 Admin Authentication Bypass & Remote File Inclusion, kingofska
Next by Thread:  [eVuln] Quirex Arbitrary File Disclosure Vulnerability, alex
Indexes:  [Date] [Thread] [Top] [All Lists]