“Ubiquiti Networks develops high-performance networking technology for service providers and enterprises. Our technology platforms focus on delivering highly advanced and easily deployable solutions that appeal to a global customer base in underserved and underpenetrated markets.”
SEC Consult recommends not to use this device in production until a thorough security review has been performed by security professionals and all
identified issues have been resolved.
1) Reflected Cross Site Scripting (XSS) in Internet Explorer This vulnerability can be exploited by deactivating or bypassing the integrated XSS-filter of the Internet Explorer.
Proof of concept
1) Reflected Cross Site Scripting (XSS) in Internet Explorer
The following URL can be used as PoC:
The characters “=” and “/” are not allowed in this injection.
This restriction can be bypassed in Internet Explorer via the use of a SVG and BR tag.
Since “/” is not allowed the <script> tag can’t be closed and therefore browsers will not execute the supplied code. Moreover, event handlers (e.g. <svg onload=alert(1)>) can’t be used because of the “=” restriction. However, Internet Explorer can be tricked to parse the script via the use of the SVG and BR tags.
It can be assumed that similar tricks exit for other browsers.
Vulnerable / tested versions
EdgeRouter X SFP – Firmware v1.9.1
Vendor contact timeline
2017-04-04: Contacting vendor through HackerOne. Vendor sets status to “Triaged”.
2017-04-24: Asking for a update.
2017-04-25: Vendor responds that the fix is available in firmware v220.127.116.11.
2017-05-05: Found the update on the website of the vendor. It was available since 2017-04-28.
2017-05-15: Contacted vendor via e-mail and set the publication date to 2017-07-24.
2017-07-24: Public release of security advisory
Upgrade to firmware v18.104.22.168 or later.
EOF R. Freingruber, T. Weber / @2017
- TitleSEC Consult Vulnerability Lab Security Advisory < 20170724-0 > Cross-Site Scripting (XSS)
- ProductUbiquiti Networks EP-R6, ER-X, ER-X-SFP
- Vulnerable versionFirmware v1.9.1
- Fixed versionFirmware v22.214.171.124
- CVE number--
- Impact Medium
- Found 2017-04-04
- ByR. Freingruber, T. Weber (Office Vienna) SEC Consult Vulnerability Lab