cross-site scripting vulnerability in 2Wire routers

Started by Gary, Jan 26, 2008, 08:23:26

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Rik

Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Gary

Quote from: Rik on Jan 26, 2008, 14:04:36
That and keeping your oats in.  ;D
:eek4: to much info Rik ;) My router would have been vulnerable as it was the same version as Allitnil's, think i'll stay with my old DG till I see a patch maybe :-\
Damned, if you do damned if you don't

Ted

Quote from: Rik on Jan 26, 2008, 14:04:08
Nice post, thanks - I'm safe, it seems.  :karmic:

Seems i'm ok too. Upgraded my password just in case ;D
Ted
There's no place like 127.0.0.1

Sebby

Quote from: Killhippie on Jan 26, 2008, 13:07:09
The information suppied by secunia states Sebby this "The vulnerability is reported in 1701HG version 3.17.5 and 2071 Gateway version 5.29.51. Other versions may also be affected" so it is possible the 2700 is included, see Secunia link  here

Thanks, Gary. :)

Mine seems okay, and I'm not too concerned about it at the moment.

Ted

I see that my settings are to obtain DNS settings automatically.
Would it be best to set them manually in order to see any changes that have occurred?
I believe they are.
212.69.36.3  Primary
212.69.40.3  Secondary

Yes?
Ted
There's no place like 127.0.0.1

Sebby

I don't think it would make much difference. If you logged in and they'd changed manually, you'd know something's changed.

Rik

Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Ted

Thanks Rik. Sebby i think i'll leave it at auto, then if its changed to manual i'll know for certain it's not me ;D
Ted
There's no place like 127.0.0.1

EvilPC

Probably a silly question..

Quotehttp://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=fred.bloggs.com&ADDR=127.0.0.1
But surely that would only work on the LAN side of the router..

If you changed that to your external WAN IP Address and have remote management turned off then this won't work ?? ???

Also if you had "http forwarding" turned on in the firewall. then this request would be passed to you local web server so won't cause any issue ? May be quick fix would be to forward "port 80" to an invalid IP Address..

If I'm talking rubbish please feel free to say  ::)

EvilPC

I'm answering my own post..

I suppose a script to try to run that locally.. then they would get in.. :P

jupiter

Quote from: Allitnil on Jan 26, 2008, 13:52:26
Here is a safe example to check the exploit
http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=fred.bloggs.com&ADDR=127.0.0.1

I'm being thick here I suspect, but when I follow that link and get the password page of my 2701 dual ssid, if I enter an invalid password I do not get through to router setup pages, whereas if I enter the valid password, then I do.

So does that mean the router is or is not vulnerable?

Adam

Quote from: jupiter on Jan 28, 2008, 15:32:37
I'm being thick here I suspect, but when I follow that link and get the password page of my 2701 dual ssid, if I enter an invalid password I do not get through to router setup pages, whereas if I enter the valid password, then I do.

So does that mean the router is or is not vulnerable?

While I haven't been keeping up with this thread I believe the vulnerability requires you to already be logged into the router, or have no password set. An example would be a site linking to that URL as you were logged into the router, or using an existing session with the router. AFAIK, if you aren't logged in to the router and close your browser/clear sessions after being logged into the router, you should be safe.
Adam

Sebby

Indeed, Adam; that's the way I see it. It may be a vulnerability but I don't think it's much of an issue for most of us.

Gary

You don't have to be logged in Adam if you have a vulnerable router the password will not protect you from reports out, using javascript malware the router can be got at from inside your network and can access the router without the page being open now, I'm sure BT will kick out a patch for their dual ssid firmware 5 routers as its not good business for them to provide equipment that is vulnerable  ;)
Damned, if you do damned if you don't