[Full-disclosure] ifnet.it WEBIF XSS Vulnerability

2007-10-23T00:00:00
ID SECURITYVULNS:DOC:18252
Type securityvulns
Reporter Securityvulns
Modified 2007-10-23T00:00:00

Description


|| WWW.SMASH-THE-STACK.NET ||

|| ADVISORY: IFNET.IT WEBIF XSS VULNERABILITY


|| 0x00: ABOUT ME || 0x01: DATELINE || 0x02: INFORMATION || 0x03: EXPLOITATION || 0x04: GOOGLE DORK || 0x05: RISK LEVEL




|| 0x00: ABOUT ME

Author: SkyOut Date: October 2007 Contact: skyout[-at-]smash-the-stack[-dot-]net Website: www.smash-the-stack.net


|| 0x01: DATELINE

2007-10-15: Bug found 2007-10-15: Email with notification sent to ifnet.it 2007-10-21: Still no reaction from ifnet.it 2007-10-22: Advisory released


|| 0x02: INFORMATION

In the WEBIF product by the italian company ifnet, an error occurs due to the fact of an unfiltered variable (cmd) in the webif.exe program. It is possible to execute any JavaScript code by manipulating the parameter.


|| 0x03: EXPLOITATION

To exploit this bug no exploit is needed, all can be done through manipulation of the given URL:

STEP 1: Go to the standard page of the WEBIF product, normally existing at "/cgi-bin/webif.exe". You will recognize some further parameters, being "cmd", "config" and "outconfig".

STEP 2: Don't change any parameter instead of the "cmd" one. Change its value to any JavaScript code you like. For our demo we will use the default one, being "<script>alert('XSS');</script>".

STEP 3: Click ENTER and execute the code. A successfull demonstration will popup a window.

EXAMPLE: http://example.com/webif/cgi-bin/webif.exe?cmd=<script>alert('XSS');</script>&config=[ * ]&outconfig=[ * ]

[ * ] = Depends on the server. Don't change this!


|| 0x04: GOOGLE DORK

inurl:"/cgi-bin/webif/" intitle:"WEBIF"


|| 0x05: RISK LEVEL

  • LOW - (1/3) -

<!> Happy Hacking <!>



THE END


Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/