VAR-200710-0018
Vulnerability from variot - Updated: 2023-12-18 11:39The Thomson/Alcatel SpeedTouch 7G router, as used for the BT Home Hub 6.2.6.B and earlier, allows remote attackers on an intranet to bypass authentication and gain administrative access via vectors including a '/' (slash) character at the end of the PATH_INFO to cgi/b, aka "double-slash auth bypass." NOTE: remote attackers outside the intranet can exploit this by leveraging a separate CSRF vulnerability. NOTE: SpeedTouch 780 might also be affected by some of these issues. BT Home Hub and Speedtouch 7G are both home wireless Internet routers.
Multiple security vulnerabilities exist in BT Home Hub and SpeedTouch 7G routers, allowing malicious users to perform cross-site footsteps, cross-site request spoofing, script injection attacks, or bypass certain security restrictions.
1) Input validation errors when processing URLs may allow attackers to access and change password-protected resources, such as configuration and settings pages, through specially crafted URLs containing two slashes.
2) Failure to perform proper filtering before recording the login user name may allow the injection of arbitrary HTML and script code. If the user browses the log, it will be executed in the user's browser session.
3) As the input to the name parameter is not properly filtered, arbitrary HTML and script code may be executed in the user's browser session.
4) Failure to properly filter the input of url parameters in the cgi / b / ic / connect / file may result in the execution of arbitrary HTML and script code in the user's browser session.
5) The device does not perform validity checks on user requests, allowing users to perform certain operations through HTTP requests. If the logged-in administrator visits a malicious site, this may cause the administrator password to be changed.
6) Users can directly access certain pages, such as the Wireless Security page, through the URL without authentication.
7) The administrative user can save the backup or load the configuration file through the URL, and these files should only be accessed by the tech account. Successful exploits of many of these issues will allow an attacker to completely compromise the affected device. NOTE: '/' (slash) vectors are covered by CVE-2007-5383
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200710-0018",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "home hub",
"scope": "lte",
"trust": 1.8,
"vendor": "bt",
"version": "6.2.6.b"
},
{
"model": "speedtouch 7g router",
"scope": "eq",
"trust": 1.0,
"vendor": "alcatel",
"version": "*"
},
{
"model": "speedtouch 7g router",
"scope": null,
"trust": 0.8,
"vendor": "alcatel lucent",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.6,
"vendor": "none",
"version": null
},
{
"model": "speedtouch 7g router",
"scope": null,
"trust": 0.6,
"vendor": "alcatel",
"version": null
},
{
"model": "tg585 router",
"scope": "eq",
"trust": 0.3,
"vendor": "thomson",
"version": "0"
},
{
"model": "home hub .b",
"scope": "eq",
"trust": 0.3,
"vendor": "bt",
"version": "6.2.6"
},
{
"model": "home hub",
"scope": "eq",
"trust": 0.3,
"vendor": "bt",
"version": "6.2.2.6"
},
{
"model": "home hub",
"scope": "eq",
"trust": 0.3,
"vendor": "bt",
"version": "0"
},
{
"model": "speedtouch 7g",
"scope": null,
"trust": 0.3,
"vendor": "alcatel",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2007-5927"
},
{
"db": "BID",
"id": "25972"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-002762"
},
{
"db": "NVD",
"id": "CVE-2007-5383"
},
{
"db": "CNNVD",
"id": "CNNVD-200710-197"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:alcatel:speedtouch_7g_router:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:bt:home_hub:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "6.2.6.b",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2007-5383"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Adrian Pastor\u203b m123303@richmond.ac.uk",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200710-197"
}
],
"trust": 0.6
},
"cve": "CVE-2007-5383",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": true,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2007-5383",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-28745",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2007-5383",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-200710-197",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-28745",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-28745"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-002762"
},
{
"db": "NVD",
"id": "CVE-2007-5383"
},
{
"db": "CNNVD",
"id": "CNNVD-200710-197"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The Thomson/Alcatel SpeedTouch 7G router, as used for the BT Home Hub 6.2.6.B and earlier, allows remote attackers on an intranet to bypass authentication and gain administrative access via vectors including a \u0027/\u0027 (slash) character at the end of the PATH_INFO to cgi/b, aka \"double-slash auth bypass.\" NOTE: remote attackers outside the intranet can exploit this by leveraging a separate CSRF vulnerability. NOTE: SpeedTouch 780 might also be affected by some of these issues. BT Home Hub and Speedtouch 7G are both home wireless Internet routers. \n\n\u00a0Multiple security vulnerabilities exist in BT Home Hub and SpeedTouch 7G routers, allowing malicious users to perform cross-site footsteps, cross-site request spoofing, script injection attacks, or bypass certain security restrictions. \n\n\u00a01) Input validation errors when processing URLs may allow attackers to access and change password-protected resources, such as configuration and settings pages, through specially crafted URLs containing two slashes. \n\n\u00a02) Failure to perform proper filtering before recording the login user name may allow the injection of arbitrary HTML and script code. If the user browses the log, it will be executed in the user\u0027s browser session. \n\n\u00a03) As the input to the name parameter is not properly filtered, arbitrary HTML and script code may be executed in the user\u0027s browser session. \n\n\u00a04) Failure to properly filter the input of url parameters in the cgi / b / ic / connect / file may result in the execution of arbitrary HTML and script code in the user\u0027s browser session. \n\n\u00a05) The device does not perform validity checks on user requests, allowing users to perform certain operations through HTTP requests. If the logged-in administrator visits a malicious site, this may cause the administrator password to be changed. \n\n\u00a06) Users can directly access certain pages, such as the Wireless Security page, through the URL without authentication. \n\n\u00a07) The administrative user can save the backup or load the configuration file through the URL, and these files should only be accessed by the tech account. \nSuccessful exploits of many of these issues will allow an attacker to completely compromise the affected device. NOTE: \u0027/\u0027 (slash) vectors are covered by CVE-2007-5383",
"sources": [
{
"db": "NVD",
"id": "CVE-2007-5383"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-002762"
},
{
"db": "CNVD",
"id": "CNVD-2007-5927"
},
{
"db": "BID",
"id": "25972"
},
{
"db": "VULHUB",
"id": "VHN-28745"
}
],
"trust": 2.52
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2007-5383",
"trust": 3.4
},
{
"db": "BID",
"id": "25972",
"trust": 2.0
},
{
"db": "SREASON",
"id": "3213",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2007-002762",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2007-5927",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20080301 THE ROUTER HACKING CHALLENGE IS OVER!",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20071008 BT HOME FLUB: PWNIN THE BT HOME HUB",
"trust": 0.6
},
{
"db": "XF",
"id": "41271",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200710-197",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-28745",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2007-5927"
},
{
"db": "VULHUB",
"id": "VHN-28745"
},
{
"db": "BID",
"id": "25972"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-002762"
},
{
"db": "NVD",
"id": "CVE-2007-5383"
},
{
"db": "CNNVD",
"id": "CNNVD-200710-197"
}
]
},
"id": "VAR-200710-0018",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-28745"
}
],
"trust": 0.975
},
"last_update_date": "2023-12-18T11:39:48.732000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.alcatel-lucent.com/alcatel/"
},
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.bt.com/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2007-002762"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-287",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-28745"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-002762"
},
{
"db": "NVD",
"id": "CVE-2007-5383"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.0,
"url": "http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub"
},
{
"trust": 2.0,
"url": "http://www.theregister.co.uk/2007/10/09/bt_home_hub_vuln/"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/25972"
},
{
"trust": 1.7,
"url": "http://www.gnucitizen.org/blog/holes-in-embedded-devices-authentication-bypass-pt-1/"
},
{
"trust": 1.7,
"url": "http://www.gnucitizen.org/projects/router-hacking-challenge/"
},
{
"trust": 1.7,
"url": "http://securityreason.com/securityalert/3213"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/481835/100/0/threaded"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/489009/100/0/threaded"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41271"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-5383"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-5383"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/41271"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/481835/100/0/threaded"
},
{
"trust": 0.3,
"url": "http://www.homehub.bt.com/"
},
{
"trust": 0.3,
"url": "http://www.gnucitizen.org/blog/call-jacking"
},
{
"trust": 0.3,
"url": "http://www.thomson.net/en/home/minisites/bap/telecom/subcategory.html?category=dsl%20modems"
},
{
"trust": 0.3,
"url": "/archive/1/481835"
},
{
"trust": 0.3,
"url": "/archive/1/486081"
},
{
"trust": 0.3,
"url": "/archive/1/517314"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-28745"
},
{
"db": "BID",
"id": "25972"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-002762"
},
{
"db": "NVD",
"id": "CVE-2007-5383"
},
{
"db": "CNNVD",
"id": "CNNVD-200710-197"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2007-5927"
},
{
"db": "VULHUB",
"id": "VHN-28745"
},
{
"db": "BID",
"id": "25972"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-002762"
},
{
"db": "NVD",
"id": "CVE-2007-5383"
},
{
"db": "CNNVD",
"id": "CNNVD-200710-197"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2007-10-08T00:00:00",
"db": "CNVD",
"id": "CNVD-2007-5927"
},
{
"date": "2007-10-12T00:00:00",
"db": "VULHUB",
"id": "VHN-28745"
},
{
"date": "2007-10-08T00:00:00",
"db": "BID",
"id": "25972"
},
{
"date": "2012-06-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2007-002762"
},
{
"date": "2007-10-12T01:17:00",
"db": "NVD",
"id": "CVE-2007-5383"
},
{
"date": "2007-10-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200710-197"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2007-10-08T00:00:00",
"db": "CNVD",
"id": "CNVD-2007-5927"
},
{
"date": "2018-10-15T00:00:00",
"db": "VULHUB",
"id": "VHN-28745"
},
{
"date": "2011-04-04T20:05:00",
"db": "BID",
"id": "25972"
},
{
"date": "2012-06-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2007-002762"
},
{
"date": "2018-10-15T21:44:13.623000",
"db": "NVD",
"id": "CVE-2007-5383"
},
{
"date": "2007-10-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200710-197"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200710-197"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "BT Home Hub Used in Thomson/Alcatel SpeedTouch 7G Vulnerability to gain administrator access on router",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2007-002762"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "authorization issue",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200710-197"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…