CVE-2013-5218

Step 1: Payload Preparation: The attacker crafts a malicious DHCP Host Name. This name includes HTML or JavaScript code designed to execute in the victim's browser. For example, <script>alert('XSS')</script>.

Step 2: DHCP Request: The attacker's device sends a DHCP request to the HOT HOTBOX router, including the crafted Host Name in the request.

Step 3: Router Configuration: The router receives the DHCP request and stores the malicious Host Name in its internal configuration.

Step 4: Webpage Access: A legitimate user accesses the wlanAccess.asp page on the router's web interface, typically to view the DHCP table.

Step 5: Vulnerable Rendering: The wlanAccess.asp page retrieves the DHCP Host Name from the router's configuration and renders it directly in the HTML output, without proper sanitization or encoding.

Step 6: Payload Execution: The user's browser interprets the injected HTML or JavaScript code, executing the attacker's payload. This could lead to various malicious actions, such as cookie theft, session hijacking, or redirection to a phishing site.

The vulnerability stems from a failure to properly sanitize user-supplied input from the DHCP Host Name option before rendering it within the wlanAccess.asp page. Specifically, the router's web application directly incorporates the DHCP Host Name into the HTML output without any form of input validation or output encoding. This allows an attacker to inject arbitrary HTML and JavaScript code. The root cause is a lack of contextual output encoding within the web application's code, leading to the execution of malicious scripts within the user's browser when they access the DHCP table.