The Netgear FVS318 is "an easy to use, firewall/router designed for home users and small businesses". SecuriNews Research has found 2 vulnerabilities in the router, one allows bypassing the product's content filtering mechanism while the other allows injecting arbitrary HTML and/or JavaScript into the product's log files which can then be used to attack the administrator of the router.
Content Filtering Bypass:
By using HEX encoded characters, it is possible to bypass the URL filter. For example, if the router administrator blocks the phrase ".exe"; a user can encode one or more characters in the URL phrase to bypass the filter. If we encode the 'x' in ".exe", the new phrase ".e%78e" will bypass the filter.
Log File Arbitrary Content Injection:
The content filter/log viewer contains a Cross Site Scripting vulnerability. When a user tries to access a blocked URL phrase, it is logged in the Security Log. If a user were to inject JavaScript into a blocked URL phrase, the JavaScript would be executed by the administrator's browser when the security log is viewed.
Proof of Concept:
If the router administrator has blocked the URL phrase ".exe", a user can inject JavaScript as follows: http://www.example.com/somefile.exe</textarea><script>alert('XSS')</script>
Note: The string "</textarea>" must be added before the injected JavaScript, as the security log is placed in a text area.
