Info

Disclosure

Jul 26, 2006

Discovery

Unknown

Dates

Exploit

Jul 26, 2006

Solution

Unknown

Description

ZyXEL Prestige 660H-61 contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'a' variable upon submission to Forms/rpSysAdmin. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Available
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

ZyXEL Communications Corporation

Prestige 660H-61

V3.40(PT.0)b32

References

Security Tracker: 1016598
Bugtraq ID: 19180
CVE ID: 2006-3929 (see also: NVD)
Secunia Advisory ID: 21225
ISS X-Force ID: 28021
FrSIRT Advisory: ADV-2006-3012
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0458.html
Other Advisory URL: http://www.eazel.es/media/advisory004-Zyxel-Prestige-660H-61-Cross-Site-Scripting ......
Vendor URL: http://www.zyxel.com

Credit

José Ramón Palanco - jose.palancoeazel.es - Eazel

Direct URL: http://osvdb.org/36218