During this attack, nothingĬan be controlled anymore (no switch of the demo case worked):įurthermore, the following HTTP request (sometimes it is necessary to send it aįew times) renders the web interface itself unusable. The attack is stopped (it will reboot afterwards). Running the following command will keep the miniserver in a non-responsive stateĪfter a few seconds (depending on the bandwidth) and it will not recover until The payload uses double-encoded values in order to bypass the Prompted), which will show a popup message and turn on the LED light of the To reproduce this behavior it is sufficient to open the following URL as anĪuthenticated user (or social engineer the victim to enter the credentials when Of the Loxone miniserver device and trick a user into sending username/passwordģ) Reflected cross-site scripting (XSS) vulnerability phishingĮmail or discussion forum) will for example be able to re-create the login page (combined XSS attack) that generates a popup as an example: The following URL demonstrates this issue and injects some HTML/JavaScript code Inject arbitrary HTML/JavaScript code (Response splitting / Header injection). Is possible to inject new headers or manipulate the response body in order to Any payload within the URL will be added to the realm. The WWW-Authenticate header is not properly sanitized and uses the URI for the _not_ authenticated which will be most of the time in regular use cases.
The following payload only works by accessing the web interface when a user is SEC Consult Vulnerability Lab Security Advisory Ģ) HTTP Response Splitting / Header injection
0 kommentar(er)
