MikroTik RouterOS UserManager 存在反射型 XSS 漏洞,影响所有 v7.0 之前的版本。攻击者可通过构造恶意 URL 注入 JavaScript 代码,在浏览器中执行恶意操作。尽管系统尝试过滤输入以缓解风险,但通过重复 payload 可绕过过滤机制。此漏洞可能导致未授权的 JavaScript 执行、钓鱼攻击或重定向等安全威胁。建议修复措施包括对用户输入进行上下文感知编码、实施内容安全策略(CSP)以及避免在 HTML 或 JavaScript 上下文中反射未经验证的 GET 参数。 2025-7-7 19:49:35 Author: cxsecurity.com(查看原文) 阅读量:30 收藏
MikroTik RouterOS < v7.0 - Reflected XSS in UserManager
# Exploit Title: MikroTik RouterOS < v7 - Reflected Cross-Site Scripting (XSS) in UserManager Web Interface # Google Dork: N/A (UserManager interface is typically not publicly exposed) # Date: 2025-07-03 # Exploit Author: Ahmed Mutaher # Vendor Homepage: https://mikrotik.com/ # Software Link: https://mikrotik.com/download # Version: All versions prior to v7.0 # Tested on: # - RB1100AHx4 (v6.48.2) # - RB750GL (v6.39) # - CCR1009-8G-1S-1S+ (v6.41) # - x86 (v5.20, v6.49.18) # CVE: N/A # Description: # A reflected cross-site scripting (XSS) vulnerability exists in MikroTik RouterOS versions prior to v7, # specifically in the UserManager web interface. This flaw can be exploited by unauthenticated attackers, # allowing JavaScript injection via a specially crafted URL without requiring a valid login session. # # During analysis of the source code of the /userman page, it was discovered that the application attempts # to mitigate input by discarding any content after the double slash (//). However, by repeating the payload # and crafting it carefully, this behavior can be bypassed and JavaScript can be executed in the browser context. # Vulnerable Endpoint: # http://<router-ip>/userman/',true);alert('XSS');//',true);alert('XSS');// # Proof of Concept (PoC): Payload: http://192.168.88.1/userman/',true);alert('XSS');//',true);alert('XSS');// # Steps to Reproduce: 1. Open the target RouterOS UserManager URL in a browser without logging in. 2. Inspect the page source and identify the reflected input behavior. 3. Notice that the system strips content after `//`. 4. Craft the payload to repeat the malicious code to bypass the filtering. 5. When the payload is executed, an alert box is triggered, proving the XSS vulnerability. # Impact: - JavaScript execution without authentication. - Possible phishing or redirection attacks. - Can be used as part of a social engineering chain to trick admins or users. # Mitigation: - Sanitize all user input using context-aware encoding (e.g., htmlspecialchars()). - Implement Content Security Policy (CSP). - Avoid reflecting unsanitized GET parameters in HTML or JavaScript contexts.
Thanks for you comment!
Your message is in quarantine 48 hours.
{{ x.nick }}
{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |
如有侵权请联系:admin#unsafe.sh