Here is the exact conversation ASUS CASEID=RTM20150115204498-295 Please click here if you wish to reply this mail! Dear Kaustubh, Thank you for the information, we really appreciate your feedback. To improve our customers experience we have forwarded your information to related dept., the concerned dept. Wish you a nice day! Thanks and Regards, Mathew M. Asus Customer Service. ---------- Original Message ---------- >From : kingkaustubh@xxxxxxxxxx Sent : 15-Jan-15 6:49:07 PM To : "techsupport@xxxxxxxx" Subject : Re: Re:Re:<TSD> Satisfaction-IND(EN) : Security vulnerability in this router [ID=RTM20150109203637-986] [CASEID=TM20150115204498] Dear Mathew Please find attached for the XSS without authentication BUG attached is the POC for the same as mention in Portal reply :) On Jan 11, 2015, at 11:05 PM, mathew_m wrote: ASUS CASEID=RTM20150109203637-986 Dear Kaustubh, We apologize for any inconvenience that has been caused in reply to your email and we really appreciate your feedback. To improve our customers experience we have forwarded your information to related dept., the concerned dept. would contact you for further assistance. Wish you a nice day! Thanks and Regards, Mathew M. Asus Customer Service. ---------- Original Message ---------- >From : kingkaustubh@xxxxxxxxxx Sent : 09-Jan-15 6:19:10 PM To : "techsupport@xxxxxxxx" Subject : Re: Satisfaction-IND(EN) : Security vulnerability in this router [ID=RWTM20150109014017580-918] [CASEID=TM20150109203637] Dear Mathew M., This is for information security department and developer who develop the firmware for ASUS router, Issue The value of the flag request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 78846';alert(1337)//372137b5d was submitted in the flag parameter. This input was echoed unmodified in the application's response. Please find attached POC for the details of concept and Please revert on priority and register a CVE ID for Same, I am planing to submit the same to https://forms.cert.org/VulReport/ for making this Public once got confirmation from your side On Jan 09, 2015, at 01:54 AM, mathew_m wrote: ASUS CASEID=RWTM20150109014017580-918 Dear Kaustubh, Thank you for contacting ASUS technical support. We request you to please help us with more details of the issue so that we could forward your details to the concerned dept. Do let us know if you face any doubts or queries. Thanks and Regards, Mathew M. Asus India support team. ---------- Original Message ---------- >From : kingkaustubh@xxxxxx Sent : 08-Jan-15 5:40:17 PM To : "techsupport@xxxxxxxx" Subject : Satisfaction-IND(EN) : Security vulnerability in this router [CASEID=WTM20150109014017580] Apply date : 2015/01/08 17:40:17(UTC Time) [Contact Information] Name : Kaustubh Padwad Email Address : kingkaustubh@xxxxxx Phone Number : 9186001461111 Country : India[भारत गणराज्य ] [Product Information] Product Type : Wireless Product Model : RT-N10 Plus Product S/N : CAISNE001110 [Comment] Subject : Security vulnerability in this router Topic : 3. Others Description : Dear team, I am kaustubh padwad security researcher from india, i found a security Vulnerability in your product assus router N10Plus is vulnerable i don't know where to drop a mail so kindly contact via email for full discloses.i just need a correct email address to disclose the POC of vulnerability Sent from my iPhone
