Linksys BEFSR41 Admin Interface XSS Vulnerabilities
Description of Vulnerability:
Linksys BEFSR41 is a consumer grade cable and DSL router and four port switch (http://www.linksysbycisco.com/ANZ/en/support/BEFSR41). The device provides an administration interface for configuration via a web browser. Unfortunately the interface does not sanitize certain user supplied data leading to a cross site scripting (XSS) vulnerability.
Furthermore the BEFSR41 does not provide any cross site request forgery protection.
Systems affected:
Cisco Linksys Etherfast(R) Cable/DSL Router BEFSR41 with firmware version 1.04.09 was tested and found to be vulnerable.
Impact
XSS could be used to change critical settings (such as DNS) or disable security protections on the device. This could allow remote attackers to upload new firmware to the device, attack users behind the device LAN, or perform denial of service by setting bad specifications on the device.
Mitigating factors:
Injection points are limited in size so an attacker would have to craft a small payload attack.
Proof of Concept:
- Log into the BEFSR41 administration screen and navigate to /index.htm
- Enter "name ' onBlur='alert("xss")" for the "Host Name" value.
- Click the 'Save Settings' button at the bottom of the form
- After the page refreshes click on the "Host Name" textfield then click outside to view the JavaScript alert
- Log into the BEFSR41 administration screen and navigate to /Routing.htm
- Enter "test ' onBlur=alert('xss')" for the "Enter Route Name" value.
- Click the 'Save Settings' button at the bottom of the form
- After the page refreshes click on the "Enter Route Name" textfield then click outside to view the JavaScript alert
Prior Research
Other researchers have previously released advisories addressing this issue in other versions of the BEFSR41 firmware (Ref: http://securityreason.com/wlb_show/WLB-2011010030).