Security Advisory IS-2010-003 - Linksys WAP54Gv3 debug.cgi Cross-Site Scripting Advisory Information -------------------- Published (dd/mm/yy): 23/06/2010 Updated (dd/mm/yy): 23/06/2010 Manufacturer: Linksys Model: WAP54G Hardware version: v3.x Firmware version: ver.3.05.03 (Europe) ver.3.04.03 (US) Vulnerability Details --------------------- Class: Cross-Site Scripting Public References: Not Assigned Platform: Successfully tested on Linksys WAP54Gv3 loaded with firmware version Ver.3.05.03 (Europe) Vulnerability present also on firmware ver.3.04.03 (US) Other models and/or firmware versions may be also affected. Background Information: Linksys WAP54G is a wireless access points that allow wireless clients connectivity to wired networks. Supported 802.11b and 802.11g protocols, with data rates up to 54Mbit/s. Summary: A cross-site scripting vulnerability is present in the debug.cgi page, that is accessible by using proper debug credentials Details: The debug.cgi page act as debug interface for the Linksys WAP54Gv3 and is accessible by authenticating with proper debug credentials at the following URL: http://AP_IP_ADDR/debug.cgi where AP_IP_ADDR is the IP address of the device. Commands to be executed by the system are sent within the data1 POST variable, while the command output is returned within a closing tag in its output. Additional text following such tag will be interpreted as regular HTML by the accessing user browser, allowing for injection of Javascript code, that will be run in the context of the presented web page. Proof of Concept: echo "" Impacts: The vulnerability may allow an attacker to access the output of commands during a "Remote blind" attack, where malicious web pages are used by the attacker over the Internet to execute code on a victim access point with private addressing, by leveraging an user browser as a 3rd party "reflector". This would also allow an attacker to extract information and configuration stored on devices that are not even able to access the Internet (eg: firewall policy, gateway not configured) Solutions & Workaround: Not available Additional Information ---------------------- Timeline (dd/mm/yy): 09/11/2009: Requested Point of Contact to Linksys 10/11/2009: Received Point of Contact 10/11/2009: Vulnerability details sent 12/11/2009: Received clarification request on firmware version 12/11/2009: Additional details sent 16/01/2010: Requested update on vulnerability status. ----------- No update received ----------- 23/06/2010: This advisory Additional information available at http://www.icysilence.org