Security Advisory 2021-08-01-2 - Stored XSS in hostname UCI variable (CVE-2021-33425)

Multiple OpenWrt LuCI templates, including the one shipped by default, integrated the content of the UCI hostname variable without stripping it from malicious JavaScript. This allowed an attacker, which can control the content of the UCI hostname variable, to inject a arbitrary JavaScript into LuCI.

The following LuCI packages were affected:

  • luci-theme-bootstrap
  • luci-theme-material
  • luci-theme-openwrt

The attacker needs permission to change the UCI hostname variable. Normally only the root user is allowed to do this. In a normal OpenWrt installation such a user would already be allowed to do arbitrary changes to LuCI including changing the LuCI templates.

An attacker has to store a malicious hostname like this:

$ uci set system.@system[0].hostname='<script>alert("XSS")</script>'
$ uci commit

To our knowledge, OpenWrt version 19.07.0 to 19.07.7 are affected. The fixed packages will be integrated in the upcoming OpenWrt 19.07.8 and OpenWrt 21.02.0 release. Older versions of OpenWrt (e.g. OpenWrt 18.06, OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.

This issue was identified by Рома Шагун.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2021/08/07 18:12
  • by hauke