Full Disclosure mailing list archives
FOSCAM Wireless IP Camera - SSID Cross Site Scripting
From: LIAD Mizrachi <liadmz () gmail com>
Date: Thu, 7 Nov 2013 10:56:59 +0200
Advisory: FOSCAM Wireless IP Camera - SSID XSS Author: Liad Mizrachi Vendor URL: http://www.foscam.com/ Vulnerability Status: No Fix CVE-ID: CVE-2013-5215 ========================== Vulnerability Description ========================== FOSCAM's Web UI "WiFi scan" option is vulnerable to XSS using a custom AP SSID. ========================== PoC ========================== Setup wireless access point and set SSID with the _javascript_ code. - SSID must start with ' (Apostrophe). - SSID must end with // (comment). ========================== Disclosure Timeline ========================== 20-Aug-2013 - Vendor informed by mail 21-Aug-2013 - Reply from FosCam Support, moved to R&D team. 08-Sep-2013 - Requesting the vendor for update on the issue. 08-Sep-2013 - Reply From Vendor: no fix will be issue. ========================== References ==========================http://www.foscam.com/https://vimeo.com/72786679 [PoC Demo]
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- FOSCAM Wireless IP Camera - SSID Cross Site Scripting LIAD Mizrachi (Nov 07)