Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormNicholas LehmanPACKETSTORM:135365
HistoryJan 24, 2016 - 12:00 a.m.

ZyXel WAP3205 Cross Site Scripting

2016-01-2400:00:00
Nicholas Lehman
packetstormsecurity.com
22
JSON
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
#Vendor: ZyXel WAP3205 - version 1 (Product is EOL and no patch  
forthcoming)  
#Firmware version: V1.00(BFR.6) - V1.00(BFR.8)C0  
#Exploit Author: Nicholas Lehman @GraphX  
#Vulnerability: Multiple persistent and reflected XSS vulnerabilities  
  
Description:  
Multiple persistent XSS Vulnerabilities have been discovered in the ZyXel  
WAP3205 (version 1) wireless access point. These vulnerabilities could  
allow and authenticated attacker to insert persistent malicious code on  
several pages and using several different fields. The WAP is End-Of-Life  
according to the vendor and will not be issuing a patch for these  
vulnerabilities.  
  
Proof of Concept:  
The first vulnerability discovered pertained to the inputs found on  
  
  
- - -http://<ROUTER_IP>/local/advance/main_maintenance_frame.html  
the domain_name and system_name inputs are vulnerable to reflected  
cross-site scripting and there does not appear to be any validation or  
sanitation of those inputs. the admin_inactivity_time input is vulnerable  
to persistent XSS with the following code being used:  
admin_inactivity_timer=0"><script>alert(document.cookie)</script><input  
  
- - -The date and time tab is also vulnerable to persistent cross site  
scripting. The following inputs allow for malicious code to be stored and  
executed:  
NTPServerIP  
servertype  
timedatatype  
  
3. Solution:  
ZyXel was informed of the vulnerability, but since the router is end of  
life, a patch will not be released.  
Upgrade to a supported WAP  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1  
  
iQIcBAEBCgAGBQJWo8HaAAoJEGoTpzhfiAPxZFYP/iMGT7oGqHxLtw5rGVk0t5my  
ZxKD/ho84OhtHP6d1d4mVcKOmVGPMRLCR7V62m6G9iluzTx08uhAooXzdGPfua9I  
WXY+bIyj/3w5ydYJRd6gfR3/BwBHQKiMb06Iwsm2KivZNLYTFZ1mThXcn/dpgopL  
BRjLxpVaMOAVEaVgHEcm0B59uaIFT2jBSHfi3MZMYSlkoEGTCs+UaJ3qxMbmxYC9  
06Zg8+pQs17AOdaBhSRb/vfeBRuLjbSsNZwI2XrDd5rj6+J3z34VasAnStgcd/uV  
5cSIN7AAlfi3sg7BE+3hUZxK8p0KL2vKsm1/FOzAXs9H5/x51vLeJ0zbS4f57wIC  
x8lfkEu5GnK2jD2f0IeHrtnesXnIsBAB5THYxrqIfXJI0QpJZk0Dt3NL/uy2x4II  
gX8mnqJdci8o58oB4EG3RoYjKNpbbKGmF2JO1Gvgu9COmxMiYhTi9/HUW+SUizne  
zDjSeYLRn+VwuG4b77Rv+DH32ue93ujuIIMI+0zRzbpVo0kTr8P772LDn/Ypc5PP  
QtDC9A3OHqMOlrURgEEOU4uoB7rEH/aFqmuqEmdjdAVqRJ9xHINtChCIuNCFR9S1  
wGluQ2HQ58eOZZK2GCUep57bgaFHSzm5mi0uHd27h6J40wVTiErZfJM5SW8z/rI1  
JVy7N1+3MESCr8pW/Cgo  
=sI1p  
-----END PGP SIGNATURE-----  
  
`
JSON