[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Reflected cross-site scripting (XSS) vulnerability in Mediatrix Web Management Interface login page
From:       tudor.enache () helpag ! com
Date:       2014-01-23 7:53:18
Message-ID: 201401230753.s0N7rIak023957 () sf01web1 ! securityfocus ! com
[Download RAW message or body]

Advisory ID: hag201476
Product: Mediatrix Web Management Interface
Vendor: Media5 Corporation
Vulnerable Version(s): Mediatrix 4402 Device with Firmware Dgw 1.1.13.186 and \
probably prior Tested Version: Mediatrix 4402 Device with Firmware Dgw 1.1.13.186
Advisory Publication: January 23, 2014 
Vendor Notification: November 13, 2013 
Public Disclosure:  January 23, 2014 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-1612
Risk Level: Medium 
CVSSv2 Base Score: 6.4 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Solution not yet released
Discovered and Provided: Help AG Middle East

------------------------------------------------------------------------

-----------------------

about the vendor:
Media5 products and technologies are deployed in millions of broadband connected \
devices including smartphones, set-top boxes, and a wide variety of \
telecommunications equipment and applications.  Our VoIP expertise went on to deliver \
the Mediatrix family of VoIP ATAs and Gateways, and now includes a suite of voice and \
video mobility solutions and the M5T family of secure SIP-based solutions for the \
telecommunications marketplace.


Advisory Details:

During a Pentest Help AG discovered the following:
Reflected cross-site scripting (XSS) vulnerability in Mediatrix Web Management \
Interface, found in the login page, allows remote attackers to inject arbitrary web \
scripts or HTML via the vulnerable parameter “username” 

1) Cross-Site Scripting (XSS) in Mediatrix Web Management Interface: CVE-2014-1612

As proof of concept, one needs to access the following URL on a Mediatrix Web \
Interface: http://<<MediatrixWebInterfaceIP/Host>>/login.esp?r=system_info.esp&username=%22/%3E%3Cscript%3Ealert%281%29%3C/script%3E \


Hackers could craft malicious URLs and send them to system admins to try to gain \
access to the administrative interface of the Mediatrix Device. As the targeted \
Mediatrix device in our case is used for providing voice over IP (VoIP) connectivity \
to ISDN telephones, the attacker could even set up his rogue SIP server, replace the \
original one in the Mediatrix configuration and listen to all corporate calls if an \
administrative account is compromised via the XSS in the login page.

------------------------------------------------------------------------

-----------------------

Solution:

The vendor was notified, contact the vendor for the patch details

------------------------------------------------------------------------

-----------------------

References:

[1] help AG middle East http://www.helpag.com/.
[2] Media5 Corporation http://www.mediatrix.com/en/company 
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - \
international in scope and free for public use, CVE ® is a dictionary of publicly \
known information security vulnerabilities and exposures. [4] Common Weakness \
Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security \
practitioners, CWE is a formal list of software weakness types.

------------------------------------------------------------------------

-----------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without \
any warranty of any kind. Details of this Advisory may be updated in order to provide \
as accurate information as possible.


[prev in list] [next in list] [prev in thread] [next in thread]