[OpenWrt-Devel] Security Advisory 2019-11-05-1 - LuCI stored XSS

Marcin Zięba marcin.zieba at ehlo.red
Wed Dec 4 03:44:26 EST 2019


Hi all,

any news regarding CVE assignment ?

Regards,
Marcin

On 13/11/2019 23:34, Hauke Mehrtens wrote:
> Security Advisory 2019-11-05-1 - LuCI stored XSS
>
>
> DESCRIPTION
>
> A vulnerability has been reported in LuCI which allows injection of
> script code through maliciously crafted wireless network SSIDs.
>
> When joining a wireless network by clicking Network -> Wireless -> Join,
> the subsequent configuration view interprets the SSID of the network
> to join without proper escaping, allowing to execute arbitrary
> JavaScript in the client's web browser through network names which
> contains payload, for example
> AP</h2><svg onclick=alert(0);>
>
> Additionally the network interface overview displays configured wireless
> network SSID without proper escaping.
>
> Since the SSID string is stored in the UCI configuration, the issue
> effectively becomes a stored Stored Cross Site Scripting (XSS)
> vulnerability.
>
>
> REQUIREMENTS
>
> In order to exploit this vulnerability, a user needs to either
> explicitly pick a network with a malicious SSID from the wireless scan
> result list or manually add a wireless network with an SSID containing
> embedded script and browsing to the network interface overview page.
>
> The wireless scan result list is not affected by this issue, so no
> automatic script code execution is possible through it.
>
>
> MITIGATIONS
>
> To fix this issue, update the affected LuCI package using the command
> below. The fix is contained in version `git-19.309.48729-bc17ef673` and
> later.
>
>    `opkg update; opkg upgrade luci-mod-admin-full`
>
> To workaround the problem, avoid joining networks with HTML code in the
> SSID.
>
>
> AFFECTED VERSIONS
>
> To our knowledge, LuCI packages with OpenWrt versions 18.06.0 to 18.06.4
> are affected. OpenWrt 19.07 is not affected by this problem.
> The fixed LuCI packages are integrated in the OpenWrt 18.06.5. Older
> versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of life
> and not supported any more.
>
>
> CREDITS
>
> The issue has been reported by Marcin Zieba <marcin.zieba at ehlo.red> on
> 27th October 2019 and independently by Ridwan Maulana <mrm at asdqwe.net>
> on 5th November 2019.
> The issue has been fixed by Jo-Philipp Wich <jo at mein.io>
>
>
> REFERENCES
>
> https://github.com/openwrt/luci/commit/bc17ef673f734ea8e7e696ba5735588da9111dcd


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20191204/93511f38/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list