header-logo
Suggest Exploit
vendor:
HG-110
by:
Unknown
7.5
CVSS
HIGH
Cross-Site Scripting (XSS) and Directory Traversal
79
CWE
Product Name: HG-110
Affected Version From: 1.0.0
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE: h:fiberhome:hg-110
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

Fiberhome HG-110 Cross-Site Scripting and Directory Traversal Vulnerabilities

The Fiberhome HG-110 router is vulnerable to a cross-site scripting (XSS) and directory traversal vulnerability. This allows an attacker to execute arbitrary script code in the browser of a user visiting the affected site, potentially leading to the theft of sensitive information and further attacks. The vulnerability occurs due to insufficient sanitization of user-supplied input. An example URI that can be used to exploit this vulnerability is provided.

Mitigation:

To mitigate the cross-site scripting vulnerability, it is recommended to sanitize user input and implement proper output encoding. For the directory traversal vulnerability, access control measures should be implemented to prevent unauthorized access to sensitive files and directories.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/47277/info

Fiberhome HG-110 is prone to a cross-site scripting vulnerability and a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to view arbitrary local files and directories within the context of the webserver. This may let the attacker steal cookie-based authentication credentials and other harvested information, which may aid in launching further attacks.

Fiberhome HG-110 firmware 1.0.0 is vulnerable other versions may also be affected. 

The following example URIs are available:

http://www.example.com/cgi-bin/webproc?getpage=%3Cscript%3Ealert%28this%29%3C/script%3E&var:menu=advanced&var:page=dns

Local File Include and Directory/Path Traversal:

-
http://www.example.com/cgi-bin/webproc?getpage=../../../../../../../../../../../../etc/passwd&var:menu=advanced&var:page=dns

Navigation

Suggest Exploit

Services By CQR