Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

xss on rv042 login page

i recently got an rv042 and updated to the most recent (v4.0.4.02-tm  (Jul  4 2011 13:30:56)) firmware. but the input to the login page isn't  sanitized and seems to be a gaping xss vulnerability. if i enter

aa");alert("xss!

as a username with  any password it tells me it's invalid. but then if i login and look at  the system log i'll see a javascript alert pop up. so anybody who can  access the management interface can enter iframes or javascript and next  time i look at the log it'll all execute in my browser. how did that  get past testing? it pretty much makes the log useless. any chance this will get fixed in a future firmware update?

edit - looks like disabling Unauthorized Login Attempt logging will prevent the username from being written into the log. so that mitigates the danger. but it's enabled by default and that's the kind of thing i like to see in logs. seems like it deserves a fix.

Everyone's tags (2)
574
Views
0
Helpful
0
Replies
CreatePlease to create content