Cross-site scripting (XSS) vulnerability in httpd/cgi-bin/vpn.cgi/vpnconfig.dat in Smoothwall Express 3.0 SP3 allows remote attackers to inject arbitrary web script or HTML via the COMMENT parameter in an Add action.
Smoothwall Express 3.0 SP3 is vulnerable to a critical cross-site scripting (XSS) flaw. Attackers can inject malicious JavaScript into the vpn.cgi/vpnconfig.dat configuration file, potentially allowing them to steal user credentials, redirect users to phishing sites, or completely compromise the web interface. This vulnerability requires immediate patching due to its ease of exploitation and potential for widespread impact.
Step 1: Payload Delivery: The attacker crafts a malicious HTTP request to httpd/cgi-bin/vpn.cgi/vpnconfig.dat with the action=Add parameter and a specially crafted COMMENT parameter containing the XSS payload (e.g., <script>alert('XSS')</script>).
Step 2: Data Storage: The vpn.cgi script processes the request and stores the attacker-supplied COMMENT value, including the malicious JavaScript, into the vpnconfig.dat file.
Step 3: User Interaction: A legitimate user accesses the Smoothwall Express web interface, which subsequently renders the contents of the vpnconfig.dat file.
Step 4: Payload Execution: The user's browser parses the HTML, including the injected JavaScript payload. The JavaScript executes within the user's browser context, allowing the attacker to perform actions on behalf of the user.
The vulnerability stems from insufficient input validation of the COMMENT parameter within the vpn.cgi script when handling the 'Add' action. The script fails to properly sanitize user-supplied input before storing it within the vpnconfig.dat file, which is then rendered within the web interface. This lack of sanitization allows attackers to inject arbitrary HTML and JavaScript code. The root cause is a missing or inadequate input validation and output encoding mechanism. Specifically, the script does not escape special characters (e.g., <, >, ", ') within the COMMENT parameter before storing it. When the vpnconfig.dat file is later displayed, the injected JavaScript executes within the context of the user's browser, leading to the XSS vulnerability.