Recently, a vulnerability has been discovered in several Draytek products which are susceptible to Cross Site Scripting (XSS) attacks. This vulnerability has been assigned the CVE number CVE-2023-23313. The affected products include Vigor391, Vigor100B, Vigor2962, Vigor2865, Vigor2866, Vigor2927, Vigor2915, Vigor2765, Vigor2766, Vigor2135, Vigor2763, Vigor2862, Vigor2926, Vigor2925, Vigor2952, Vigor322, Vigor2133, Vigor2762, and Vigor2832. The attacks specifically target the wlogin.cgi and user_login.cgi scripts in the web application management portal of the routers.
Exploit Details
The vulnerability exists due to insufficient sanitization of user-supplied input processed by the aforementioned CGI scripts in the web application management portal. Attackers can exploit this to inject malicious scripts which would be executed when an unsuspecting user accesses the management portal in their browser.
The following code snippet demonstrates a sample XSS payload that an attacker can use to exploit the vulnerability:
<script>alert('XSS');</script>
An attacker can craft a URL similar to the following URL, where router_url should be replaced with the actual router's URL, and sample_payload with the attacker's desired payload:
http://router_url/wlogin.cgi?user_name=sample_payload
The unsuspecting user would then be presented with an alert message once they access the faulty URL.
Mitigation
Draytek is expected to soon release patches for affected products. Users are highly recommended to update their devices to the latest firmware version once available. Until then, it is advised to inform users of the potential risks and to practice caution when accessing the router's web application management portal.
Conclusion
This vulnerability highlights the importance of timely security updates and awareness about the risks associated with using unpatched or older versions of router firmwares. While a patch is expected soon, users should take precautionary measures to avoid falling victim to possible XSS attacks.
Timeline
Published on: 03/03/2023 22:15:00 UTC
Last modified on: 03/10/2023 14:52:00 UTC