Micronet SP1910 Data Access Controller UI XSS & HTML Code Injection

2014-07-01T00:00:00
ID SSV:67099
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

Exploit: XSS & Html code injection in Micronet SP1910 data access controller UI

Date: 27-11-2009

Author: K053

Vendor: http://www.micronet.info/model_detail.aspx?series_no=6&sno=472

Tested on : Private Networks


Note :

Micronet introduces an exciting new product—SP1910 Network Access Controller. It is specially designed for secure wired and wireless network environments of small or medium companies. Micronet UI is vulnerable to xss attack .

Attacker able to steal users credential and disconnect them .

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-

POC :

you can spot xss any page ,

http://server/loginpages/error_user.shtml?uname=userid&msg=<script>alert('xss')</script>