ID:CVE-2019-5243

Description: The response headers of HG255s router's web interface is
misconfigured. For example: "X-Frame-Options" header have an irrelevant
"noopen" value. The correct value ("SAMEORIGIN") is written to
"X-XSS-Protection" section. Therefore, it's vulnerable to clickjacking
attacks.

Products or solutions and versions affected: HG255s, version:HG255sC163B029

Found By:Utku Sen

Technical Details:

When we send following GET request to the web application

<request>

GET / HTTP/1.1
Host: 192.168.1.1

</request>

It responds with:

<response>

HTTP/1.1 200 OK
Set-Cookie:
SessionID_R3=97R3fHP1v6x5hscP10EthMoy3wifoqprUCTb762yQFLTc0w..;
path=/; HttpOnly;
Cache-Control: no-cache
X-Frame-Options: noopen
X-XSS-Protection: SAMEORIGIN
Strict-Transport-Security: 1; mode=block
Date: Tue, 25 Dec 2018 14:15:56 GMT
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 8749

HTML...

</response>

In here, security headers are misconfigured. For example "X-Frame-Options"
can't have a value "noopen". It should be "SAMEORIGIN" but it's written as
"X-XSS-Protection" value. Also "X-XSS-Protection" headers value should be "1;
mode=block" which is written to "Strict-Transport-Security" header

Since X-Frame-Options header is misconfigured, this application is vulnerable
to Clickjacking attacks. Any website can load "http://192.168.1.1" and force
users to do malicious activities on their router panel.