Lucene search
K

BT Wifi Extenders 300 / 600 / 1200 Cross Site Scripting

🗓️ 22 Sep 2016 00:00:00Reported by Jamie RidenType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 27 Views

BT Wifi Extenders 300/600/1200 Cross Site Scripting leading to PSK disclosur

Code
`BT Wifi Extenders - 300, 600 and 1200 models - Cross Site Scripting  
leading to disclosure of PSK.  
  
A firmware update is required to resolve this issue.  
  
The essential problem is that if you hit the following URL on your  
wifi extender, it will pop up a whole load of private data, including  
your PSK. Instead of doing a pop up, we could exfiltrate that data to  
our server.  
  
/cgi-bin/webproc?%3Asessionid=deadbeef&obj-action=auth&%3Aaction=login&errorpage=html%2Fmain.html&getpage=html/index.html&var:menu=advanced&var:page=conntorouter&var%3Amenu=setup19497%22%3bsetTimeout(function(){alert(%22If%20you%20see%20stuff%20here,%20patch%21%20%22%2bG_arrClient)%3b},1000)%3bvar+foo%3d%22&var%3Asubpage=-  
  
We can automate this within a web page to steal your stuff and I've  
banged together a quick proof of concept here - http://xjs.io/bt.html  
- which will try to find all the BT wifi extenders on your home  
network, but needs to be run in Chrome. This uses Chrome to get the  
list of local network interfaces and then chucks the XSS around the  
whole local network if it finds any. (If it doesn't work, I apologise  
- you'll have to try it by hand instead.)  
  
If you have one of these, you should upgrade - the details are here:  
  
300 model:  
  
http://bt.custhelp.com/app/answers/detail/a_id/54345  
  
600 model:  
  
http://bt.custhelp.com/app/answers/detail/a_id/51867  
  
1200 model:  
  
http://bt.custhelp.com/app/answers/detail/a_id/56465  
  
  
More details here:  
https://www.pentestpartners.com/blog/bt-wi-fi-extender-multiple-security-issues-upgrade-asap/  
  
  
BT were quite responsive, however seem have just categorised the issue  
as "bug fixes", and I don't think there's an auto-update feature,  
hence this post.  
  
cheers,  
Jamie  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation