Cross-site scripting (XSS) vulnerability in the web management interface in httpd/cgi-bin/ipinfo.cgi in Smoothwall Express 3.1 and 3.0 SP3 and earlier allows remote attackers to inject arbitrary web script or HTML via the IP parameter in a Run action.
Smoothwall Express 3.1 and earlier are vulnerable to a critical cross-site scripting (XSS) flaw in the web management interface. This vulnerability allows attackers to inject malicious JavaScript into the web interface, potentially leading to account compromise, session hijacking, and data exfiltration.
Step 1: Payload Delivery: The attacker crafts a malicious URL containing a JavaScript payload within the IP parameter. This URL targets the ipinfo.cgi script with the Run action.
Step 2: Request Submission: The attacker sends the crafted URL to the vulnerable Smoothwall Express server.
Step 3: Server-Side Processing: The ipinfo.cgi script receives the request and processes the IP parameter.
Step 4: Vulnerable Output: The script directly incorporates the attacker-supplied IP parameter (including the malicious JavaScript) into the HTML response without proper sanitization or encoding.
Step 5: Browser Execution: The victim's web browser receives the HTML response containing the injected JavaScript and executes it.
Step 6: Exploitation: The injected JavaScript executes within the context of the victim's browser, allowing the attacker to perform actions such as stealing cookies, redirecting the user to a phishing site, or modifying the web page content.
The vulnerability stems from a failure to properly sanitize user-supplied input within the ipinfo.cgi script. Specifically, the IP parameter, used in the Run action, is directly incorporated into the HTML output without proper encoding or validation. This allows an attacker to inject arbitrary HTML and JavaScript code. The root cause is a lack of input validation and output encoding, a common web application security flaw. The script trusts the user-provided IP parameter, making it susceptible to malicious code injection. This is a classic example of an unvalidated input vulnerability leading to cross-site scripting.