CVE-2019-25392
📋 TL;DR
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability in the iptools.cgi endpoint. Unauthenticated attackers can inject malicious JavaScript via the IP parameter in POST requests, which executes in victim browsers when they visit manipulated links. This affects all users of the vulnerable Smoothwall Express version.
💻 Affected Systems
- Smoothwall Express
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on administrator systems.
Likely Case
Session hijacking of authenticated users, credential theft, or defacement of the Smoothwall interface.
If Mitigated
Limited impact with proper input validation, output encoding, and Content Security Policy headers in place.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB (ID 46333), making exploitation trivial for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: http://www.smoothwall.org
Restart Required: No
Instructions:
Check Smoothwall.org for security updates or patches. Consider upgrading to a newer version if available.
🔧 Temporary Workarounds
Input Validation and Sanitization
linuxImplement server-side validation and sanitization of the IP parameter in iptools.cgi to reject malicious input.
Modify iptools.cgi to validate IP parameter format (e.g., regex for valid IP addresses) and sanitize output.
Web Application Firewall (WAF)
allDeploy a WAF to block XSS payloads in requests to iptools.cgi.
Configure WAF rules to detect and block script tags or JavaScript in POST parameters to /cgi-bin/iptools.cgi.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to mitigate script execution.
- Restrict access to iptools.cgi endpoint to trusted IP addresses only.
🔍 How to Verify
Check if Vulnerable:
Test by sending a POST request to /cgi-bin/iptools.cgi with a script payload in the IP parameter (e.g., IP=<script>alert('XSS')</script>) and check if it executes in browser.Check Version:
Check Smoothwall Express version via web interface or system logs; specific version may be displayed in admin panel.Verify Fix Applied:
After applying fixes, repeat the test; script execution should be blocked or sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /cgi-bin/iptools.cgi with script-like content in parameters.
- Multiple failed attempts or successful XSS payloads in web server logs.
Network Indicators:
- HTTP POST traffic to iptools.cgi containing JavaScript or script tags in payloads.
- Unexpected redirects or outbound connections from Smoothwall interface.
SIEM Query:
source="web_logs" AND uri="/cgi-bin/iptools.cgi" AND method="POST" AND (param="IP" CONTAINS "<script>" OR param="IP" CONTAINS "javascript:")