cross-site scripting vulnerability in 2Wire routers

[Rik]

So thats what they are for

That and keeping your oats in. 

[Gary]

That and keeping your oats in. 

to much info Rik My router would have been vulnerable as it was the same version as Allitnil's, think i'll stay with my old DG till I see a patch maybe

[Ted]

Nice post, thanks - I'm safe, it seems. 

Seems i'm ok too. Upgraded my password just in case

[Sebby]

The information suppied by secunia states Sebby this "The vulnerability is reported in 1701HG version 3.17.5 and 2071 Gateway version 5.29.51. Other versions may also be affected" so it is possible the 2700 is included, see Secunia link  here

Thanks, Gary.

Mine seems okay, and I'm not too concerned about it at the moment.

[Ted]

I see that my settings are to obtain DNS settings automatically.
Would it be best to set them manually in order to see any changes that have occurred?
I believe they are.
212.69.36.3  Primary
212.69.40.3  Secondary

Yes?

[Sebby]

I don't think it would make much difference. If you logged in and they'd changed manually, you'd know something's changed.

[Rik]

Those are they, Ted.

[Ted]

Thanks Rik. Sebby i think i'll leave it at auto, then if its changed to manual i'll know for certain it's not me

[EvilPC]

Probably a silly question..

http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=fred.bloggs.com&ADDR=127.0.0.1

But surely that would only work on the LAN side of the router..

If you changed that to your external WAN IP Address and have remote management turned off then this won't work ??

Also if you had "http forwarding" turned on in the firewall. then this request would be passed to you local web server so won't cause any issue ? May be quick fix would be to forward "port 80" to an invalid IP Address..

If I'm talking rubbish please feel free to say 

[EvilPC]

I'm answering my own post..

I suppose a script to try to run that locally.. then they would get in..

[jupiter]

Here is a safe example to check the exploit
http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=fred.bloggs.com&ADDR=127.0.0.1

I'm being thick here I suspect, but when I follow that link and get the password page of my 2701 dual ssid, if I enter an invalid password I do not get through to router setup pages, whereas if I enter the valid password, then I do.

So does that mean the router is or is not vulnerable?

[Adam]

I'm being thick here I suspect, but when I follow that link and get the password page of my 2701 dual ssid, if I enter an invalid password I do not get through to router setup pages, whereas if I enter the valid password, then I do.

So does that mean the router is or is not vulnerable?

While I haven't been keeping up with this thread I believe the vulnerability requires you to already be logged into the router, or have no password set. An example would be a site linking to that URL as you were logged into the router, or using an existing session with the router. AFAIK, if you aren't logged in to the router and close your browser/clear sessions after being logged into the router, you should be safe.

[Sebby]

Indeed, Adam; that's the way I see it. It may be a vulnerability but I don't think it's much of an issue for most of us.

[Gary]

You don't have to be logged in Adam if you have a vulnerable router the password will not protect you from reports out, using javascript malware the router can be got at from inside your network and can access the router without the page being open now, I'm sure BT will kick out a patch for their dual ssid firmware 5 routers as its not good business for them to provide equipment that is vulnerable