Blog: Vulnerability Advisory
Netgear EX7000 Wi-Fi Range Extender. Minor XSS and Poor Password Handling
Netgear was informed of this issue on 4th June 2016. Fixed firmware is now available, but I’m not sure when it was released as they didn’t tell me.
Hardware Version: EX7000
Firmware Version affected: V18.104.22.168_1.0.94 ( and probably before that as well )
Firmware updates are here – or use the web page check function : http://www.netgear.com/support/product/EX7000.aspx?cid=wmt_netgear_organic#download
It was possible to conduct a Cross Site Scripting attack against the EX7000 AC1900 router with current firmware. If you create an SSID called and perform a network discovery, the code located at http://xjs.io will execute when you move the mouse over the network name.
While doing this, it became apparent that the “remember me” option stores the username and password as cookies, without setting them as “httpOnly”.
Now, I do appreciate that the attacker needs to be physically near to the device during setup, so that the SSID shows up in the list, so it’s not a major issue by any means – but it does serve to illustrate that any data you accept from the outside world needs to be validated, and not just the direct input parameters of the web application.
Users should upgrade their firmware, or at least be careful when performing wireless surveys using their EX7000 and should not use the Remember Me function.
4th June 2016 – notified vendor
<Some to’ing and fro’ing>
26th July 2016 – vendor says this issue will hopefully be addressed in due course.
“We do have a Field Trial release available and the vulnerability issue has been addressed. The next maintenance release will include this resolution.”
11th November – Having heard nothing further, I checked to see if any updates were available. XSS in SSID issue appears to be fixed.