[DCA-00017] LinkSys BEFSR41 Multiple Stored Xss

[DCA-00017] LinkSys BEFSR41 Multiple Stored Xss

[Software/Hardware]

• LinkSys DSL Router BEFSR41 V2

[Vendor Product Description]

• This Router will allow your computers to share a high-speed Internet
  connection as well as resources, including files and printers.

[Bug Description]

• Linksys does not validate the input size leading to stored Xss bug.
• Host name,User Name(PPPoE and PPTP),Customized Applications and
  other fields are vulnerable.

[History]

• Advisory sent to vendor on 01/03/2011.
• Vendor reply 01/03/2011
• Published 01/04/2011

[Impact]

• Low

[Affected Version]

• LinkSys DSL Router BEFSR41 V2
• Firmware:
  1.30
  1.33.1
  1.34
  1.35
  1.36
  1.36T4(beta)
  1.37
  1.37.1(j)
  1.38.5
  1.39
  1.40.1
  1.40.2
  1.42.3
  1.42.6
  1.42.7
  1.43
  1.43.3
  1.44
  1.44.2
  1.46.2

[Vendor Reply]

• According to the vendor, this hardware is deprecated

[Codes]
Example in Customized Applications fields:
'><h1>B</h1>

---

[Credits]
DcLabs Security Group
Sponsor: Crash
[email protected]

–
Ewerson Guimaraes (Crash)
Pentester/Researcher
DcLabs Security Team
www.dclabs.com.br