-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-016 Product: Gira KNX IP router Manufacturer: Gira Giersiepen GmbH & Co. KG Affected Version(s): 3.1.3683.0, 3.3.8.0 Tested Version(s): 3.1.3683.0, 3.3.8.0 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Unknown Manufacturer Notification: 2023-05-11 Solution Date: Unknown Public Disclosure: 2023-06-28 CVE Reference: CVE-2023-33276 Author of Advisory: Marc Gessler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Gira KNX/IP router is a connection device for KNX lines for data transmission over the Internet Protocol. The manufacturer describes the product as follows (see [1]): > Connection of KNX lines with aid of data networks and use of the Internet protocol (IP). > Coupling of a KNX system together with the Gira HomeServer or Gira FacilityServer. > Filtering and forwarding of telegrams. > Use as line or area coupler. [...] Due to insufficient validation of user-provided input, it is vulnerable to cross-site scripting attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The web server interface of the product responds with a "404 - Not Found" status code if a path is accessed that does not exist. However, the value of the path is reflected in the response. As the application will reflect the supplied path without context-sensitive HTML encoding, it is vulnerable to a reflective cross-site scripting attack. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Request: GET /%3Cimg%20src=SySS%20onerror=alert(%22XSS_GIRA_KNX/IP-Router%22)%3E HTTP/1.1 Response: HTTP/1.1 404 Not Found Server: ise GmbH HTTP-Server v2.0 Accept-Ranges: bytes Cache-Control: no-store, no-cache Content-Type: text/html Content-Length: 63 / ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Context-sensitive HTML encoding of user input before reflecting it back can be used to prevent a successful reflected cross-site scripting attack. More information can be found at: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-05-09: Vulnerability discovered 2023-05-11: Vulnerability reported to manufacturer 2023-06-28: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Gira KNX IP router https://katalog.gira.de/en/datenblatt.html?id=658626 [2] SySS Security Advisory SYSS-2023-016 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-016.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Marc Gessler of SySS GmbH. E-Mail: marc.gessler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/marc_gessler.asc Key ID: 0x5077DCEB1C98D0A2 Key Fingerprint: 3F7B B558 6734 8FCF 25A0 F596 5077 DCEB 1C98 D0A2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEP3u1WGc0j88loPWWUHfc6xyY0KIFAmSaldAACgkQUHfc6xyY 0KIGvA/6AzbvWJ4hGNZ4wIh3vCk+RAUTr+85qvyDT2+1WaucwejYTTVOcTkm3Qy7 iQtRCrkN1zJedhC6v4S21/K0GZz55Lsw3Fo/vZ+8RLY8uWPYaRMRci9YUvDx5vmK EXqInUB7+5LWIt4YBDcE4xxlpOx+uDFroXMZyp7WBHVQ1iFdd3H0fu5RT7+PJSUS Cmt1SFYUPP6VDcT1UX14WdWglQ287V2HD3MPZ0Ot42QawrQxa8t035EP84ErP1iC 7NkWYBRRyTHXKRJNHuhSEo5KR0bS/bZb728qvPIHuIbg9Foyba4ocT8D2cd2O2xt f7r8tuSVaqOdxCGNduB54lIuXwbAnGKSSU4Uv9V+rfPT8vCWnIUXS4KilA3g+BI5 HG5xQj3yhd+KAnAlDeG7VWGpr+ZFrxG89ouDeSVuzMS5QF7qmE/15MQyru/VqhVB X8JosxR65088vTxYptjBAW2Xs+3LGbbBKVWKitfGB1k8CBWnDW+AR2nKA9xg4Tbv xfjb+v3tQJxUY5P9y5aYIrEnDn8sifn2mOkBD173Nwiz6NPPsV8OsgceBH0wrE+4 00jXoo7knDLOTpb9p8gVrLQ2fZIUlSG0N8XYtOfbZ4cxLC2IyTKklWmSyWvhS3/I I5tjosrMw8A/MiQQJo0wdaEh/FPkd+BXnks+phO6q7Unq+yJl6w= =wlzJ -----END PGP SIGNATURE-----