Home / exploitsPDF  

webif-xss.txt

Posted on 23 October 2007

----------------------------- || WWW.SMASH-THE-STACK.NET || ----------------------------- || ADVISORY: IFNET.IT WEBIF XSS VULNERABILITY _____________________ || 0x00: ABOUT ME || 0x01: DATELINE || 0x02: INFORMATION || 0x03: EXPLOITATION || 0x04: GOOGLE DORK || 0x05: RISK LEVEL ____________________________________________________________ ____________________________________________________________ _________________ || 0x00: ABOUT ME Author: SkyOut Date: October 2007 Contact: skyout[-at-]smash-the-stack[-dot-]net Website: www.smash-the-stack.net _________________ || 0x01: DATELINE 2007-10-15: Bug found 2007-10-15: Email with notification sent to ifnet.it 2007-10-21: Still no reaction from ifnet.it 2007-10-22: Advisory released ____________________ || 0x02: INFORMATION In the WEBIF product by the italian company ifnet, an error occurs due to the fact of an unfiltered variable (cmd) in the webif.exe program. It is possible to execute any JavaScript code by manipulating the parameter. _____________________ || 0x03: EXPLOITATION To exploit this bug no exploit is needed, all can be done through manipulation of the given URL: STEP 1: Go to the standard page of the WEBIF product, normally existing at "/cgi-bin/webif.exe". You will recognize some further parameters, being "cmd", "config" and "outconfig". STEP 2: Don't change any parameter instead of the "cmd" one. Change its value to any JavaScript code you like. For our demo we will use the default one, being "<script>alert('XSS');</script>". STEP 3: Click ENTER and execute the code. A successfull demonstration will popup a window. EXAMPLE: http://example.com/webif/cgi-bin/webif.exe?cmd=<script>alert('XSS');</script>&config=[ * ]&outconfig=[ * ] [ * ] = Depends on the server. Don't change this! ____________________ || 0x04: GOOGLE DORK inurl:"/cgi-bin/webif/" intitle:"WEBIF" ___________________ || 0x05: RISK LEVEL - LOW - (1/3) - <!> Happy Hacking <!> ____________________________________________________________ ____________________________________________________________ THE END _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

 

TOP