Reflected cross-site scripting (XSS) vulnerability in Mediatrix Web Management Interface login page

Advisory ID: hag201476
Product: Mediatrix Web Management Interface
Vendor: Media5 Corporation
Vulnerable Version(s): Mediatrix 4402 Device with Firmware Dgw 1.1.13.186 and probably prior
Tested Version: Mediatrix 4402 Device with Firmware Dgw 1.1.13.186
Advisory Publication: January 23, 2014
Vendor Notification: November 13, 2013
Public Disclosure: January 23, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-1612
Risk Level: Medium
CVSSv2 Base Score: 6.4 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Solution not yet released
Discovered and Provided: Help AG Middle East

about the vendor:
Media5 products and technologies are deployed in millions of broadband connected devices including smartphones, set-top boxes, and a wide variety of telecommunications equipment and applications.
Our VoIP expertise went on to deliver the Mediatrix family of VoIP ATAs and Gateways, and now includes a suite of voice and video mobility solutions and the M5T family of secure SIP-based solutions for the telecommunications marketplace.

Advisory Details:

During a Pentest Help AG discovered the following:
Reflected cross-site scripting (XSS) vulnerability in Mediatrix Web Management Interface, found in the login page, allows remote attackers to inject arbitrary web scripts or HTML via the vulnerable parameter “username”

1) Cross-Site Scripting (XSS) in Mediatrix Web Management Interface: CVE-2014-1612

As proof of concept, one needs to access the following URL on a Mediatrix Web Interface: http://<<MediatrixWebInterfaceIP/Host>>/login.esp?r=system_info.esp&username=%22/%3E%3Cscript%3Ealert%281%29%3C/script%3E

Hackers could craft malicious URLs and send them to system admins to try to gain access to the administrative interface of the Mediatrix Device. As the targeted Mediatrix device in our case is used for providing voice over IP (VoIP) connectivity to ISDN telephones, the attacker could even set up his rogue SIP server, replace the original one in the Mediatrix configuration and listen to all corporate calls if an administrative account is compromised via the XSS in the login page.

Solution:

The vendor was notified, contact the vendor for the patch details

References:

[1] help AG middle East http://www.helpag.com/.
[2] Media5 Corporation http://www.mediatrix.com/en/company
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVEВ® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible.