Multi-Tech Systems MultiModem iSMS Multiple XSS Vulnerabilities

—————————————————————————————————————————————————————-
1. Summary:

Multi-Tech Systems “MultiModem iSMS” appliance is affected by multiple XSS (cross-site scripting) vulnerabilities. The product was designed to give low bandwidth applications the ability to send information by reliable, affordable SMS text messages.

—————————————————————————————————————————————————————-
2. Description:

Attack #1
An attacker can inject XSS code into the web management interface at the login screen. The XSS code can be injected through the username field. The system will log failed login username attempts. When the administrator goes to view the logs through the web management interface, the XSS code will be executed. The logs can be located through the web management interface here:

Statistics / Logs / Log Traces / System Logs

Attack #2
An attacker can inject XSS code into the web management interface via SMS text message. When the administrator goes to view the logs through the web management interface, the XSS code will be executed. The logs can be located through the web management interface here:

SMS Services / Inbox

Below is a POC video demonstrating the attack:

http://www.securitypentest.com/2011/05/multi-tech-systems-xss-poc.html

—————————————————————————————————————————————————————-
3. Impact:

Potentially allow an attacker to compromise the device, access the victims iSMS account, the vicitim’s browser, and information leakage about an organization.

—————————————————————————————————————————————————————-
4. Affected Products:

MultiModem iSMS Web Management Interface version 1.47 and below
MultiModem iSMS SF100 appliance, other models may be vulnerable

—————————————————————————————————————————————————————-
5. Solution: Apply the latest supplied vendor patches.

—————————————————————————————————————————————————————-
6. Time Table:

04/25/2011 Reported Vulnerability to the Vendor
05/13/2011 Vendor Acknowledge Vulnerability
05/24/2011 Upgrade to version 1.47f

—————————————————————————————————————————————————————-
7. Credits:

Discovered by Nathan Power
www.securitypentest.com

—————————————————————————————————————————————————————-