Details of VAR-201104-0174

ID

VAR-201104-0174

CVE

CVE-2011-0746

TITLE

ZyXEL O2 DSL Router Classic of Forms/PortForwarding_Edit_1 Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2011-004236

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in Forms/PortForwarding_Edit_1 on the ZyXEL O2 DSL Router Classic allows remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences via the PortRule_Name parameter. The device is produced by ZyXEL, it seems it has no other name than the brand "O2 DSL Router Classic". As an example, the form at /Forms/PortForwarding_Edit_1 accepts javascript code for the parameter PortRule_Name, which will be permanently stored. Also, the form has no protection against CSRF. A sample code that will inject permanent javascript when called by a user who is logged into his router: <form id="form1" method="post" action="http://192.168.1.1/Forms/PortForwarding_Edit_1"> <input name="PortRule_Name" value='"><script>alert(7)</script>'> <input name="PortRule_SPort" value="77"> <input name="PortRule_EPort" value="77"> <input name="PortRule_SrvAddr" value="10.0.0.1" > <script> var frm = document.getElementById("form1"); frm.submit(); </script> This is just an example, all forms in the router interface are vulnerable to CSRF and, if they accept text input, to XSS. The vulnerability has been disclosed to O2 in advance without any reply. Disclosure Timeline 2011-02-03: Vendor contacted 2011-04-07: Published advisory This vulnerability was discovered by Hanno Boeck, http://www.hboeck.de, of schokokeks.org webhosting

Trust: 1.8

sources: NVD: CVE-2011-0746 // JVNDB: JVNDB-2011-004236 // VULHUB: VHN-48691 // PACKETSTORM: 100172

AFFECTED PRODUCTS

vendor:	zyxel	model:	o2 dsl router classic	scope:	-	version:	-	Trust: 1.4
vendor:	zyxel	model:	o2 dsl router classic	scope:	eq	version:	*	Trust: 1.0

sources: JVNDB: JVNDB-2011-004236 // CNNVD: CNNVD-201104-088 // NVD: CVE-2011-0746

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2011-0746
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2011-0746
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201104-088
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-48691
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2011-0746
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-48691
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-48691 // JVNDB: JVNDB-2011-004236 // CNNVD: CNNVD-201104-088 // NVD: CVE-2011-0746

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-48691 // JVNDB: JVNDB-2011-004236 // NVD: CVE-2011-0746

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201104-088

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201104-088

CONFIGURATIONS

sources: JVNDB: JVNDB-2011-004236

PATCH

title:

Top Page

url:

http://www.o2online.de/

Trust: 0.8

sources: JVNDB: JVNDB-2011-004236

EXTERNAL IDS

db:	NVD	id:	CVE-2011-0746	Trust: 2.6
db:	SREASON	id:	8198	Trust: 1.1
db:	JVNDB	id:	JVNDB-2011-004236	Trust: 0.8
db:	CNNVD	id:	CNNVD-201104-088	Trust: 0.7
db:	BUGTRAQ	id:	20110407 O2 CLASSIC ROUTER: PERSISTENT CROSS SITE SCRIPTING (XSS) AND CROSS SITE REQUEST FORGERY (CSRF)	Trust: 0.6
db:	VULHUB	id:	VHN-48691	Trust: 0.1
db:	PACKETSTORM	id:	100172	Trust: 0.1

sources: VULHUB: VHN-48691 // JVNDB: JVNDB-2011-004236 // PACKETSTORM: 100172 // CNNVD: CNNVD-201104-088 // NVD: CVE-2011-0746

REFERENCES

url:	http://int21.de/cve/cve-2011-0746-o2-router.html	Trust: 1.8
url:	http://www.securityfocus.com/archive/1/517399/100/0/threaded	Trust: 1.1
url:	http://securityreason.com/securityalert/8198	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-0746	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-0746	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/archive/1/517399/100/0/threaded	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2010-1482	Trust: 0.1
url:	http://192.168.1.1/forms/portforwarding_edit_1">	Trust: 0.1
url:	http://www.hboeck.de,	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-1482	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2011-0746	Trust: 0.1

sources: VULHUB: VHN-48691 // JVNDB: JVNDB-2011-004236 // PACKETSTORM: 100172 // CNNVD: CNNVD-201104-088 // NVD: CVE-2011-0746

CREDITS

Hanno Boeck

Trust: 0.1

sources: PACKETSTORM: 100172

SOURCES

db:	VULHUB	id:	VHN-48691
db:	JVNDB	id:	JVNDB-2011-004236
db:	PACKETSTORM	id:	100172
db:	CNNVD	id:	CNNVD-201104-088
db:	NVD	id:	CVE-2011-0746

LAST UPDATE DATE

2025-04-11T23:02:07.699000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-48691	date:	2018-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2011-004236	date:	2012-03-27T00:00:00
db:	CNNVD	id:	CNNVD-201104-088	date:	2011-04-14T00:00:00
db:	NVD	id:	CVE-2011-0746	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-48691	date:	2011-04-13T00:00:00
db:	JVNDB	id:	JVNDB-2011-004236	date:	2012-03-27T00:00:00
db:	PACKETSTORM	id:	100172	date:	2011-04-07T21:37:05
db:	CNNVD	id:	CNNVD-201104-088	date:	2011-04-14T00:00:00
db:	NVD	id:	CVE-2011-0746	date:	2011-04-13T14:55:01.263