{"id":2861,"date":"2015-01-21T16:20:32","date_gmt":"2015-01-21T16:20:32","guid":{"rendered":"https:\/\/dn-www.azurewebsites.net\/2015\/01\/21\/brother-mfc-j4410dw-printer-administration-xss\/"},"modified":"2024-03-18T16:04:22","modified_gmt":"2024-03-18T16:04:22","slug":"brother-mfc-j4410dw-printer-administration-xss","status":"publish","type":"post","link":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/brother-mfc-j4410dw-printer-administration-xss\/","title":{"rendered":"Brother MFC-J4410DW Printer Administration XSS"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"2861\" class=\"elementor elementor-2861\" data-elementor-post-type=\"post\">\n\t\t\t\t<div class=\"elementor-element elementor-element-724202bc e-flex e-con-boxed e-con e-parent\" data-id=\"724202bc\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-37340c30 elementor-widget elementor-widget-text-editor\" data-id=\"37340c30\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"margin: 0.5em 0px; font-family: frutiger-lt-45-light1, Verdana, Geneva, Arial, helvetica, sans-serif; font-size: 14px; line-height: 24px; background-color: #ffffff;\">The administration service web pages on the Brother MFC-J4410DW model printer are vulnerable to reflected cross-site scripting through the \u201curl\u201d querystring parameter. This allows a user\u2019s session to be hijacked or allows an attacker to take control of the user\u2019s browser. For cross-site scripting to be exploited by an attacker, a victim needs to visit a specially crafted link created by the attacker, for example sent to the victim in an email.<\/p><p style=\"margin: 0.5em 0px; font-family: frutiger-lt-45-light1, Verdana, Geneva, Arial, helvetica, sans-serif; font-size: 14px; line-height: 24px; background-color: #ffffff;\">The following proof of concept example demonstrates this vulnerability. Note that all pages which process this querystring parameter are also be vulnerable.<\/p><pre style=\"margin-top: 0.5em; margin-bottom: 0.5em; font-family: 'Courier New', 'DejaVu Sans Mono', monospace, sans-serif; font-size: 14px; line-height: 1.5em; white-space: pre-wrap; word-wrap: break-word; background-color: #ffffff;\">https:\/\/printer\/general\/status.html?url=\"\/&gt;&lt;script&gt;alert(\"XSS!\")&lt;\/script&gt;&lt;input%20type=\"hidden\"%20value=\"#<\/pre><div class=\"codeblock\" style=\"padding: 5px; border: 1px solid #cccccc; font-family: frutiger-lt-45-light1, Verdana, Geneva, Arial, helvetica, sans-serif; font-size: 14px; line-height: 24px; background-color: #eeeeee;\"><code style=\"font-family: 'Courier New', 'DejaVu Sans Mono', monospace, sans-serif; font-size: 1em; line-height: 1.5em;\">&lt;form method=\"post\" action=\"\/general\/status.html\"&gt;<br \/>\n&lt;div&gt;Login&lt;input type=\"password\" id=\"LogBox\" name=\"Nd0\" \/&gt;<br \/>\n&lt;input type=\"hidden\" name=\"loginurl\" value=\"\/general\/status.html?url=\"\/&gt;&lt;script&gt;alert(\"XSS!\")&lt;\/script&gt;&lt;input%20type=\"hidden\"%20value=\"\"\/&gt;<br \/>\n&lt;input id=\"login\" type=\"submit\" value=\"&amp;nbsp;\" \/&gt;<br \/>\n&lt;\/div&gt;<br \/>\n&lt;\/form&gt;<\/code><\/div><p style=\"margin: 0.5em 0px; font-family: frutiger-lt-45-light1, Verdana, Geneva, Arial, helvetica, sans-serif; font-size: 14px; line-height: 24px; background-color: #ffffff;\"><img decoding=\"async\" style=\"border: 0px; max-width: 100%; height: auto;\" src=\"data:image\/jpeg;base64,\/9j\/4AAQSkZJRgABAQEAYABgAAD\/2wBDAAoHBwkHBgoJCAkLCwoMDxkQDw4ODx4WFxIZJCAmJSMgIyIoLTkwKCo2KyIjMkQyNjs9QEBAJjBGS0U+Sjk\/QD3\/2wBDAQsLCw8NDx0QEB09KSMpPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT3\/wAARCADfAxcDASIAAhEBAxEB\/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL\/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6\/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL\/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6\/9oADAMBAAIRAxEAPwDovDPw60a+8K6RdTIvmT2UMj\/6JbHkoCeTESevck1p\/wDCsNC\/55r\/AOAdp\/8AGa1\/Bn\/IkaD\/ANg63\/8ARa1tUAcd\/wAKw0L\/AJ5r\/wCAdp\/8Zo\/4VhoX9xf\/AADtf\/jNdjRQBx3\/AAq\/Qv7i\/wDgHa\/\/ABmj\/hV+hf3F\/wDAO1\/+NV2NFAHG\/wDCr9C\/uL\/4B2v\/AMao\/wCFX6F\/cX\/wDtf\/AI1XZUUAcb\/wq\/Qv7i\/+Adr\/APGqP+FX6F\/cH\/gHa\/8AxquyooA43\/hV+hf3B\/4B2v8A8ao\/4VfoX9wf+Adr\/wDGq7KigDjf+FX6F\/cX\/wAA7X\/41R\/wq\/Qv7i\/+Adr\/APGq7KigDjv+FX6F\/cX\/AMA7X\/41R\/wq\/Qv7i\/8AgHa\/\/Gq7GigDjv8AhV+hf3F\/8A7X\/wCNUf8ACr9C\/uL\/AOAdr\/8AGq7GigDjv+FX6F\/cX\/wDtf8A41R\/wq\/Qv7i\/+Adr\/wDGq7GigDjv+FX6F\/cX\/wAA7X\/41R\/wq\/Qv7i\/+Adr\/APGq7GigDjv+FX6F\/cX\/AMA7X\/41R\/wq\/Qv7i\/8AgHa\/\/Gq7GigDjv8AhV+hf3F\/8A7X\/wCNUf8ACr9C\/uL\/AOAdr\/8AGq7GigDjv+FX6F\/cX\/wDtf8A41R\/wq\/Qv7i\/+Adr\/wDGq7GigDjv+FX6F\/cX\/wAA7X\/41Sf8Kv0L+4v\/AIB2v\/xquyooA43\/AIVfoX9xf\/AO1\/8AjVH\/AAq\/Qv7i\/wDgHa\/\/ABquyooA43\/hV+hf3F\/8A7X\/AONUf8Kv0L+4v\/gHa\/8AxquyooA43\/hV+hf3F\/8AAO1\/+NUf8Kv0L+4v\/gHa\/wDxquyooA43\/hV+hf3F\/wDAO1\/+NUf8Kv0L+4v\/AIB2v\/xquyooA43\/AIVfoX9xf\/AO1\/8AjVH\/AAq\/Qv7i\/wDgHa\/\/ABquyooA47\/hV+hf3F\/8A7X\/AONUf8Kv0L+4v\/gHa\/8AxquxooA43\/hV+hf3F\/8AAO1\/+NUf8Kv0L+4v\/gHa\/wDxquyooA43\/hV+hf3F\/wDAO1\/+NUf8Kv0L+4v\/AIB2v\/xquyooA43\/AIVfoX9wf+Adr\/8AGqP+FX6F\/cH\/AIB2v\/xquyooA43\/AIVfoX9wf+Adr\/8AGqP+FX6F\/cH\/AIB2v\/xquyooA43\/AIVfoX9wf+Adr\/8AGqP+FX6F\/cH\/AIB2v\/xquyooA43\/AIVdoX9wf+Adr\/8AGqP+FXaF\/cH\/AIB2v\/xquyooA43\/AIVdoX9wf+Adr\/8AGqP+FXaF\/cH\/AIB2v\/xquyooA43\/AIVdoX9wf+Adr\/8AGqP+FXaF\/cH\/AIB2v\/xquyooA43\/AIVdoX9wf+Adr\/8AGqP+FXaF\/cH\/AIB2v\/xquyooA43\/AIVfoX9wf+Adr\/8AGqP+FX6F\/cX\/AMA7X\/41XZUUAcd\/wq\/Qv7i\/+Adr\/wDGqP8AhV+hf3F\/8A7X\/wCNV2NFAHHf8Kv0L+4v\/gHa\/wDxqj\/hV+hf3F\/8A7X\/AONV2NFAHHf8Kv0L+4v\/AIB2v\/xqj\/hV+hf3F\/8AAO1\/+NV2NFAHHf8ACr9C\/uL\/AOAdr\/8AGqP+FX6F\/cX\/AMA7X\/41XY0UAcd\/wq\/Qv7i\/+Adr\/wDGqP8AhV+hf3F\/8A7X\/wCNV2NFAHHf8Kv0L+4v\/gHa\/wDxqj\/hV+hf3F\/8A7X\/AONV2NFAHHf8Kv0L+4v\/AIB2v\/xqj\/hV+hf3F\/8AAO1\/+NV2NFAHHf8ACr9C\/uL\/AOAdr\/8AGqP+FX6F\/cX\/AMA7X\/41XY0UAcd\/wq\/Qv7i\/+Adr\/wDGqP8AhV+hf3F\/8A7X\/wCNV2NFAHHf8Kv0L+4v\/gHa\/wDxqk\/4VfoX9xf\/AADtf\/jVdlRQBxv\/AAq\/Qv7g\/wDAO1\/+NUf8Ku0L+4P\/AADtf\/jVdlRQBxv\/AAq7Qv7g\/wDAO1\/+NUf8Ku0L+4P\/AADtf\/jVdlRQBxv\/AAq7Qv7g\/wDAO1\/+NUf8Kv0L+4P\/AADtf\/jVdlRQBxv\/AAq\/Qv7g\/wDAO1\/+NUf8Kv0L+4P\/AADtf\/jVdlRQBxv\/AAq\/Qv7g\/wDAO1\/+NUf8Kv0L+4v\/AIB2v\/xquyooA47\/AIVfoX9xf\/AO1\/8AjVH\/AAq\/Qv7i\/wDgHa\/\/ABquxooA47\/hV+hf3F\/8A7X\/AOM0f8Kw0L+4v\/gHa\/8AxmuxooA47\/hWGhf3F\/8AAO0\/+M0f8Kw0L\/nmv\/gHaf8AxmuxooA8a+J3hPTNA8OTG0t4S7xFw5toUZCs0K8FEU8h2znNFbfxq\/5Fxv8Ar2f\/ANH29FAHYeDP+RI0H\/sHW\/8A6LWoPE\/jTT\/Cclul\/DdSG4DFfIVTjGM5yw9an8Gf8iRoP\/YOt\/8A0WtcF8aP+PvSP9yX+a10YWnGrWjCWz\/yJm+WDaO88PeLLDxLps97ZrNHHAxWRZgAwwM54J4rDsfivol\/qFvZw22oCSeVYkLRoBljgZ+fpzXDpqP\/AAiM\/izSc7RPHtgH1OBj\/gLk\/hWbYad\/Z3iTwwGGHnNvO3\/ApTj\/AMdxXdDB0m23s7W+65zyqyUfPW5614k8faZ4X1BLO+gvJJHjEgMKKRgkjuw9KyV+MOhMwUWmpZJx\/q4\/\/i65P4wf8jZB\/wBei\/8AoTVb0W51W51OxguvA2mx20kiLJN\/ZDgqpIy248dOc1NPDUnRjOS387FVKklJpHpus6\/p+gWQutSuBDGxwowSzH0AHWuXh+Lvh6WcRvHfRKT\/AKx4l2j8mJ\/SuP8AitNJc+NIbWRiIY4UVB2G4nJ\/z6V6BqPgXwy2jC3ntILSKID\/AElNqSDHcueuffPWsVRo06cZVLty7dCnKTk4x6HR2t1Be2sdzayrLDKu5HU5BFTVzsc2g+A9Dgje5eGyeQiNm3y5YjPGAcdCfSrWl+K9F1mGaaxv43jhIEjOrRhSc4+8B6GuWVN6yiny97GilsnuP8ReIbXwzpn269jmki3iPEKgtk59SPSl8PeILXxLpYv7KOZIi5TEwAbI+hNcv8VLiG68DJNbSxzRPcpteNgyn73QiqngjXLbw18MzqF7nYJ3CIvWRj0A\/I\/lW8aCdDnt717Eyk1NJbW\/zOs8S+LdN8KwRyag0jPKcJFEAXb1OCQMfjVzRNYg17SYNRtUkSGbO1ZQAwwSOcEjt614tq2zXdHv\/EWq6latqErKtrZJOpaNNwz8uc9M8fUmu68I+J9N0T4awXFxcRu9sGDwxuC4ZnbapHbPvWlTCqFK61lezJVS87dLHSeJPFeneFraOXUGkZpDhIogC7epwSOB9ataFrVv4g0iHUbRJUhm3bVlADDDEHOCR29a8Z1V08Q6VqPiLVtStftrlUtLFJ1Lou4A\/LnOAM8fU13XgRxqHw1Gn2N5El8IplwsmGhLO20nHI9aKuFjTo832r2fYFU5ppLY2vEvjnSfC8scN4ZZp358q3Csyj1bJGK27a7jurCK8XKRSxCUb+CFIzzXh3jjwgvhWKwL3cl1dXRkaaRhgZGMYHXueSea9K1uZ4PhS7xkhv7OjXI9Cqg\/oamrh6apwcHe7tccZydTlZXu\/iz4etbpoUF5cBTjzIYxs\/DLA\/pXR2XiHT9S0STVbKUzW0aMzbRhhtGSCD0NcB8N7G3uPAGuGWJWMryIxI6gRgj8iTVD4ZTv\/YXiaDJ8sW28D0O1x\/h+VaVcNTUZ8t7xt87ihOTcW9mdH\/wuPQf+fTU\/+\/cf\/wAXW94d8a6R4nZo7GV0uFG4wTLtfHqOSD+Brzf4TabZanqt\/Hf2lvcosAKrNGHAO7qM9KqtBHoHxcig04GOJL6NFUHor4yPphiK1nhaLnKlG6aVzNVZ8vO9rnpemePdN1TxE+ixwXkV2rOhMqKFyuc8hiex7VDe\/EjR7HX20iWO7MyyrC0iovlgnHfdnAzzxXCeJJV8L\/Flb9gRCZEnOP7rDDf+zVzM1hdanpuoeIGJ2rdhX+r5JP4Hb+dFPB0pWm9ml97KnUkm4rf9D2nxL4603wvexWl7DdSyyp5gECK2BnHOWHpXRo29FbBGRnB6ivDBfHxn4+0gsCQRAjg\/7Khn\/XdXutcmJoKjGK6vcuE+eT7aBRRRXIahRRRQAUUUUAFFFFABRRRQAUUUUAFVrq\/trOW2iuJNj3MnlRDaTubBOOOnAPWrNc74pEi3mh3CwXEsdve75TDC8pVfLYZwoJ6kVcIqUkmJuyudFRXJ62Y9T1DTrq5sru70dFlWSBrOQkS4G1miK7iMbgDjAJ61zd5bzWsVrFr0EtwU0efyIseY0D7+GbH3SFKDeTgY61pGjzLf+tf8vxFza\/15HpYnU3DQASb1UMSY2C4Po2ME8dM5qWvMbrTL260abybS5dZdHsUQxxsdxEmSAR3A59q63w5Yvp+sa5Elu0Fo08bwqE2ocxjcV7dRzjvROiopu\/8AWn+ZMZ3tp\/VhNN1jX9U0u0v4NI0xYrqFJkD6lIGCsoIziDrzVn7V4j\/6BWk\/+DOT\/wCMUeD\/APkStD\/7B9v\/AOi1rZqJNKTVvzLMb7V4j\/6BWk\/+DOT\/AOMUfavEf\/QK0n\/wZyf\/ABitmip5l2\/MZjfavEf\/AECtJ\/8ABnJ\/8Yo+1eI\/+gVpP\/gzk\/8AjFbNFHMu35gY32rxH\/0CtJ\/8Gcn\/AMYo+1eI\/wDoFaT\/AODOT\/4xWzRRzLt+YGN9q8R\/9ArSf\/BnJ\/8AGKPtXiP\/AKBWk\/8Agzk\/+MVs0Ucy7fmBjfavEf8A0CtJ\/wDBnJ\/8Yo+1eI\/+gVpP\/gzk\/wDjFbNFHMu35gYY1bVrfUbC31HTbGOK8maESQXzyMrCN5PumJeP3ZHXvW5WNrf\/ACFfDv8A2EH\/APSWetmnK2jQBRRRUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAHmvxq\/wCRcb\/r3f8A9H29FHxq\/wCRcb\/r3f8A9H29FAHYeDP+RI0H\/sHW\/wD6LWuY+J3hfVvENxpzaVaeesKyCQ+Yi4yVx94j0NdP4M\/5EjQf+wdb\/wDota2q0o1XSmpx3QpLmTizy\/x94E1TWvEcN5pdsJI5YkWZvMVdrDjOCQTxjp6VZ8Q+D9UuPHWj3mn2e\/T7NbdGk8xBtCPk8E54HtXo9FbRxlSKiu1\/xM3Si7+Z5h8SPB+t6\/4hiudMsvPhW3VC3movO5jjDEHuK9Lt1KW8SsMMqAEfhUlFZzrSnCMHsi+VczkcT4\/8CP4n8q8sHSO+iXYQ\/CyL1Az2I5\/OuWufDnxD1ezj0u\/bNmMDMk0WOOm4r8zfjmvX6K0p4udOKjZO21+gpU1J3OU0z4faVB4at9J1GL7WEkM7tvZMyEYJG0g4xxVbWvhtplx4ensdGhWzmaRZlZpHcFlBAByTgYJ6V2lFZ\/WKt78z3uChFK1jxZvBHje5sINGmjQadDIXTdNHsUnPPHzY5PGO9d6nw\/spfB1poN5cT7IX85pISFLPznqDx8x\/IV1lFaVMZUnbZa307ijSjFnmGvfCO1t9Jlk0Nr65vgV2RyzRhSM8\/wAI7Z71c8P\/AAxtz4Xa21druC6unV50jlQ7ShbbggEchuev4V6HRQ8ZWceVvrcPZRvc8x134RWkGkzSaK99cXwx5ccssYU8jOflHbPet34d+EX8N6Y094sseoXIxPEzqyqFZtuNvqCO5rsaKUsXVlB05O9w9lFO6OA+J\/hnVvETacdKtftHkiTf+8RcZ24+8R6Gupj0kXfhOLSr1Sm+zWCQAglTsAP5Gtais3Wk6ap9EVyrm5zya08MeNvDlpf6VpcFtc2d3kGYSKCuRgkZYEEj2NdH4V8FXHh3wrqUEpSXUL2JgQh+UfKQq5P1PPvXbUVpUxU5xaaWu\/mKNNRaa6HimjeFPHnh+aWXS7PyHlXa582Bsjr\/ABE1v+Efh7qieIF1vxHIvnI5lWPeHZn9WI4AHtXplFaTx1SV9Em+qWpCoxR538TfB+peILyxutJtRO6RtHL+8VMDOV+8R6mrmleDZ4fhlcaNcQqt9cK8jJuBxJnK8g4\/hWu4orL6zP2ap9E7l8i5+c8s+HngbV9H8S\/btWsxBFFC3lnzUbLnA\/hJ7E16nRRU168q8uaQQgoKyCiiisSwooqpfX0VjbvNPIscaAszMcACgC1kUZHrXJt4teQk2+n3UkfZ2aOPP\/AXdW\/MU3\/hKbn\/AKBlx\/3\/ALf\/AOOUAddketGR61yP\/CUXP\/QMuP8Av\/b\/APxyj\/hKbn\/oGXH\/AH\/t\/wD45QB12R60ZHrXI\/8ACU3P\/QMuP+\/9v\/8AHKT\/AISq5\/6Blx\/3\/t\/\/AI5QB1+R60ZHrXIf8JVcf9Ay4\/7\/ANv\/APHKP+EquP8AoGT\/APf+3\/8AjlAHX5HrRketch\/wlVx\/0DZ\/+\/8Ab\/8Axyj\/AISq4\/6Bs\/8A3\/t\/\/jlAHX5HrVW90vT9S2fb7K1utmdvnxK+3PXGRxXNf8JXcf8AQNn\/AO\/9v\/8AHKP+EruP+gbP\/wB\/7f8A+OU02ndAdfkDgYoyPWuQ\/wCEquP+gbP\/AN\/7f\/45R\/wlVx\/0DJ\/+\/wDb\/wDxykBo2fhq4sLKC0tfEerJBbxrFGmy1O1VGAMmHJ4Hepv7Fvv+hm1b\/v3af\/GayP8AhKrj\/oGT\/wDf+3\/+OUjeLJ1RmOm3GFBY\/v4OgGT\/AMtKvnf9JAbH9i33\/Qzat\/37tP8A4zR\/Yt9\/0M2rf9+7T\/4zWT\/wlNyOumT\/APf+3\/8AjlJ\/wlVx\/wBA2f8A8CLf\/wCOUud\/0kBr\/wBi33\/Qzat\/37tP\/jNH9i33\/Qzat\/37tP8A4zWR\/wAJVcf9A2f\/AMCLf\/45R\/wlVx\/0DZ\/\/AAIt\/wD45Rzv+kgNf+xb7\/oZtW\/792n\/AMZo\/sW+\/wChm1b\/AL92n\/xmsj\/hKrj\/AKBs\/wD4EW\/\/AMcpG8WTrjOmXBySBiaA9ie0noDRzv8ApIDY\/sS+\/wChm1b\/AL92n\/xmj+xL\/wD6GXVv+\/dp\/wDGaZpWvQ6kD5TEMp2ujqVZT6EHkVtKdwzRzv8ApIDI\/sS\/\/wChl1b\/AL92n\/xmj+xL\/wD6GXVv+\/dp\/wDGa2aKOd\/0kBjR+H5ft9pc3es6jefZJDLHFMsCruKMmTsjU9HbvWzRRSbb3AKKKKQBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQB5p8av8AkXG\/693\/APR9vRR8av8AkXD\/ANe7\/wDo+3ooA7HwZ\/yJGg\/9g63\/APRa1tVi+DP+RI0H\/sHW\/wD6LWtqgAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAQ9K5TxWxlmsIG5jknJYHvsjeRf\/HkWurPQ1yXib\/kI6Z\/12k\/9ES0AZMhigiaa4lSONeWeRgAPqTUkghgRWmljjVmCqXYAEngAe5qh4jiS48P3EUo3JIUVhnGQXANYl4s1zFb2lwHK6PdQIXP\/LRzKoRs9\/3Zyfd\/ahauw7HX\/ZhR9mFczY6zqM+p3Hn6np1uEMwe3lnXdCFztby9itxgEkuQQSR2wja8y6RFN\/as2VmZWKvbGS4wB\/qG27HUE9MBj7EbSLUVjp\/sopPsormbnxDeJ4kWG2nDI0jx\/YpZE8w7YmYERiMMoLAYJc5z05GIk8QXYZzZan\/aL\/2dJcPGYVCxSgpx8q543H5Dlh36igLHUm1FQxi3mlliimjeSEgSIrAlCemR2qp4ZvLm8juDPqNnexgrseC4WVlJByGKxoB2wMZ61maXHeRfZ7eHUp1W4vrrzGMcROFZjx8uASRk5z7YoegX0udF9lFH2YVz9rrNxJNbldQ827kaQXNgUT\/RQFY5wBuGCFGWJBzx1FRxXWsG1V21U7pNNF4f3EeVcDovH3TkZyCeOCKV9L\/11\/yBqzt\/W9jpPsoo+yiqWq6nLZaZa6guSm5fNjVc7gwwB6\/eK9KxJNa1iKxuEkljE9kUguJyoVAzPy\/3TjCbTnBA38g4p9Q6XOmMUayLGzqHfO1SeTjrgU77KK5U38jPpst9rdrGhkmUXkEscoC7VOC5RUBzxnbjGB1Oaedaudtqt9rP9no9tI4mMcYMxV8I3zAgblwcAc54xSvb+vK4HUfZhUFxBttrj\/rjJ\/6CajsdZja0tUv28q9dIxJHsYYdkLY9uFb8qsieO\/04zWzb454GaM4I3BlOODz3qrAV50xK\/wBTUVWpf3pLx\/MjcgjkGq5jfP3G\/KkAWdut5dPatcyQXUg3WhIBicgZKuMbgeCcg4\/LBSeOKG+eC2uJrhIMxzSSBVDSjrsUDIA56k\/pktjS6gedoG8tpgFMgjPmKvdVbOBn6Z\/IYV0uZ7r7RcbWkKBGZIipkx0Lc4J+gH8sMAoA+eP\/AH2\/9FvTvLf+435Um0iSMHggs2D1xsYZ\/Mj86QE+mMYdbtmXrNDIr+4Qpt\/9GNXf2rboxXn9l\/yF7D\/rncfzhrvrP\/VCgCzRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQB5p8av+RcP\/Xu\/wD6Pt6KPjX\/AMi4f+vd\/wD0fb0UAdj4M\/5EjQf+wdb\/APota2qxfBn\/ACJGg\/8AYOt\/\/Ra1tUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFACHoa5HxQcX+mn\/ptJ\/6Ilrrj0Nch4q\/4\/dO\/66yf+iJaAM1J8VMLkUmk2Q1G\/itjM8KtFLIXjVCxKmMAfOrDHznt6Vu\/8IjF\/wBBK8\/792\/\/AMaoAxPtIpPtI9a3P+ERi\/6CV5\/37t\/\/AI1R\/wAIjF\/0Erz\/AL92\/wD8aoAwzcjHXFUbS0W3uzdTXdxdz7PLV5gg2LnJACKo5IH5Cuq\/4RGL\/oJXn\/fu3\/8AjVH\/AAiMX\/QSvP8Av3b\/APxqgDD+0ij7SK3P+ERi\/wCglef9+7f\/AONUf8IjF\/0Erz\/v3b\/\/ABqgDBNyKQ3Irf8A+ERi\/wCgjef9+7f\/AONUn\/CIRf8AQRvP+\/dv\/wDGqAOfN0KT7WPWuh\/4Q+H\/AKCN5\/37t\/8A41R\/wh8P\/QRvP+\/dv\/8AGqAOe+1iocRm\/F3ubzBEYsZ4xnP510\/\/AAh8P\/QRvP8Av3b\/APxqj\/hD4f8AoI3n\/fu3\/wDjVAGB9qFRvcZro\/8AhEIf+gjef9+7f\/41R\/wh8P8A0Ebz\/v3b\/wDxqgDk5THIxZ4YWY9S0Skn9Kj8uH\/n3t\/+\/Kf4V2H\/AAh8P\/QRvP8Av1b\/APxqj\/hD4f8AoI3n\/fq3\/wDjVAHH+XF\/z72\/\/flP8KPLh\/597f8A78p\/hXYf8IfD\/wBBG8\/79W\/\/AMao\/wCEPh\/6CN5\/37t\/\/jVAHIeXF\/z72\/8A35T\/AApwwq7UREU9QiBc\/lXW\/wDCIQ\/9BG8\/79W\/\/wAarN1rRU0qO2ZLqacTStGyypEAAIncEFUU5yg7+tAGXZf8hew\/653H84a76z\/1QrgLL\/kL2H\/XO4\/nDXf2f+qFAFmiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDzT41\/wDIuH\/r3f8A9H29FHxr\/wCRcP8A17v\/AOj7eigDsfBn\/IkaD\/2Drf8A9FrW1WL4M\/5EjQf+wdb\/APota2qACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigBD0Nch4q\/4\/dO\/66yf+iJa689DXIeKv+P3Tv+usn\/oiWgBnhf8A5DsH\/Xtcf+hQV2dcZ4X\/AOQ5B\/17XH\/oUFdnQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAVz3i\/\/AI9rD\/r5f\/0RLXQ1z\/i\/\/j3sP+vl\/wD0RLQBzFl\/yF7D\/rncfzhrvrP\/AFQrgbP\/AJC9h\/1zuP5w131n\/qhQBZooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA80+Nf\/Iun\/r3f\/wBH29FHxr\/5F0\/9e7\/+j7eigDsfBn\/IkaD\/ANg63\/8ARa1tVi+DP+RI0H\/sHW\/\/AKLWtqgAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAQ9DXIeKv+P3Tv8ArrJ\/6Ilrrz0Nch4rOLzTz\/01k\/8AREtADPDH\/Idg\/wCva4\/9Cgrs64rwqxbXIc\/8+1x\/6FBXa0AFFFFABRRXN3t9cXF1JPbNiG2+7\/tdyf8APbFZVq9OhHnqOy0X3jSbdkdJRUNrcLdW6Sr\/ABDkeh7ipq1EFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFc\/4u\/1Gn\/8AXy\/\/AKIlroK57xecW9gf+nl\/\/REtAHNWgxq9h\/1zuP5w13tn\/qhXA2bbtXsP+udx\/OGu+s\/9UKALNFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAHmnxr\/5F0\/9e7\/+j7eij41\/8i4f+vd\/\/R9vRQB2Pgz\/AJEjQf8AsHW\/\/ota2qxfBn\/IkaD\/ANg63\/8ARa1tUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFACHoa4\/wAWf8fen\/8AXWT\/ANES12B6GuP8Wf8AH1p\/\/XWT\/wBES0AQ+E\/+Q3D\/ANe9x\/6FBXb1xHhL\/kNw\/wDXvcf+hQV29ABRRTJJFhiaSQ4VRkn2oApatd+TB5Kffk4\/Dp+p4\/M9q8z8WXS2firSrZWG+QIeuP4zmuruLua9uXnIYKT8o\/z\/AJ6+tcX4jtreXxlpEk8F204T5GQDYAG75789q+exGO9pjPZx1jFS++36f5nXCj+75n1PRdFvEhuXticKTlfp2\/w\/75roK89bz0kEkaNvU5Hv6iu00m\/XULFJAcuOG+tdmUYp1qPJL4o\/l0JxVH2crrZkuoR202nXMd9t+ytEwm3dNuOc\/hXHWVpNr2nX0V5Ns1L9yiJdx7RLbgh41dc5xJhg\/vuGDtwe2nt4bqFobiKOWJvvJIoZT9Qahu9LsNQDi9sra4Dp5bedEr7lznacjpkA49RXqnN\/X9f12OMms7O705biPR9ONvpRnjutIkZTCGBBaSI425GDjKrneQShzXR+HhG8upXMLhormeOVF3ZZV8iIAMM5B4zg88j1qzJ4e0eaC3gl0mweG2z5EbWyFYs8naMYX8KvJDHE8jxxorStucqoBc4AyfU4AH4Cmnb+v6\/4AD6KKKQBRRRQAUUUUAFFFFABXPeMP+PWw\/6+X\/8AREtdDXPeMP8Aj1sP+vh\/\/REtAHL2H\/IWsf8AcuP5w16BZ\/6oV5\/Yf8hax\/3Lj+cNegWf+qFAFmiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDzT41\/8i4f+vd\/\/R9vRR8a\/wDkXD\/17v8A+j7eigDsfBn\/ACJGg\/8AYOt\/\/Ra1tVi+DP8AkSNB\/wCwdb\/+i1raoAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAEPQ1x\/i3\/AI+tP\/66yf8AoiWuwPQ1x\/i3\/j60\/wD66yf+iJaAIfCX\/Ibh\/wCve4\/9Cgrt64fwj\/yG4f8Ar3uP\/QoK7igAqG7thd2rwsxUN3HbnNTUUAYQ8MRg5+05+sKf4U\/\/AIRtP+eyf+A0f+FbVFR7OHZD5n3MNvDEbf8ALcD6QRj+lXNN0ldNZysrPuGMbQoH4CtCimoRjsgbb3CiiiqEFFFFABRRRQAUUUUAFFFFABRRRQAVz3jD\/j1sP+vh\/wD0RLXQ1z3jD\/j2sP8Ar5f\/ANES0AcvYf8AIWsf9y4\/nDXoFn\/qhXAWP\/IWsf8AcuP5w139n\/qhQBZooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA80+Nf\/IuH\/r3f\/0fb0UfGr\/kXD\/17v8A+j7eigDsfBn\/ACJGg\/8AYOt\/\/Ra1tVi+DP8AkSNB\/wCwdb\/+i1raoAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAEPQ1x3i3\/AI+tP\/66yf8AoiWuxPQ1x3i7\/j5sP+usn\/oiWgCHwj\/yG4v+ve4\/9CgruK4bwgQNaiyQP9HuP\/QoK7fev94fnQA6im71\/vD86N6\/3h+dADqKbvX+8Pzo3r\/eH50AOopu9f7w\/Ojev94fnQA6im71\/vD86N6\/3h+dADqKbvX+8Pzo3r\/eH50AOopu9f7w\/Ojev94fnQA6im71\/vD86N6\/3h+dADqKbvX+8Pzo3r\/eH50AOopu9f7w\/Ojev94fnQA6ue8Yf8e1h\/18v\/6Ilrf3r\/eH51z\/AIwYG2sMEH\/SH\/8AREtAHM2P\/IXsP+udx\/OGu\/s\/9UK8\/sP+QtYf7lx\/OGvQLP8A1QoAs0UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAeafGr\/AJFw\/wDXu\/8A6Pt6KPjV\/wAi4f8Ar3f\/ANH29FAHY+DP+RI0H\/sHW\/8A6LWtqsXwZ\/yJGg\/9g63\/APRa1tUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFACHoa47xd\/x82H\/XWT\/0RLXYnoa47xf\/AMfFh\/11l\/8AREtAFPwt\/wAheH\/rhcf+hQV2VcZ4U\/5C8P8A1wuP\/QoK7OgAooooAKKKKACiiigAooqC8ufsls0oQyNlVVAcbmYhQM\/UigCeiqe\/Uv8An1sv\/Ap\/\/jdG\/Uv+fWy\/8Cn\/APjdAFyiqe\/Uv+fWy\/8AAp\/\/AI3Rv1L\/AJ9bL\/wKf\/43QBcoqnv1L\/n1sv8AwKf\/AON0b9S\/59bL\/wACn\/8AjdAFyiqe\/Uv+fWy\/8Cn\/APjdG\/Uv+fWy\/wDAp\/8A43QBcoqnv1L\/AJ9bL\/wKf\/43Rv1L\/n1sv\/Ap\/wD43QBcrC8Vf6ix\/wCu7\/8AoiWtO1upZJ5YLiFYpYwrfI+9WVs4IOAeqnt2rL8V\/wDHvZf9d3\/9ES0Ac\/p3\/IWsf9y4\/nDXoNn\/AKoV57pv\/IVsf9y4\/nDXoVn\/AKoUAWaKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAPNPjV\/wAi4f8Ar3f\/ANH29FHxq\/5Fw\/8AXu\/\/AKPt6KAOx8Gf8iRoP\/YOt\/8A0WtbVYvgz\/kSNB\/7B1v\/AOi1raoAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAEPQ1xvi\/wD4+LD\/AK6y\/wDoiWuyPQ1xvjD\/AF9h\/wBdZf8A0RLQBT8Kf8heH\/rhcf8AoUFdnXF+E\/8AkLxf9cLj\/wBCgrtKACiiigAooooAKKKKACqeqf8AHtF\/18wf+jUq5VLVf+PWP\/r5g\/8ARqUAWfNX+8Pzo81f7w\/Os\/zKPMoA0PNX+8Pzo81f7w\/Os\/zKPMoAqzalql5qF3FpT2UUNkQjG5jZzNIVDbRhl2gAj5vm5J445ox+MpLu+htLSGLzruyint43OSrMXDlyD91Qo6dTx3FOuNNuxeXE2m36Wq3eDOrweYdwG3eh3Da2AByGHA465rv4Xg8xWhneMw20UNu4GXiaMsQ+e+d+CO4yD1oXmPv\/AF2OsjkIjUSyI0gA3MowCe+Bk4\/M07zV\/vD86zYncRIJXVpABuZV2gnuQMnH5mneZQI0PNX+8Pzo81f7w\/Os\/wAyjzKAJ4iG1q4I5\/0aH\/0OWs7xZ\/x7WX\/Xd\/8A0RLVyyOdUnP\/AE7Rf+hy1S8Wf8e1l\/13f\/0RLQBz2mf8hWx\/3Lj+cNeh2f8AqhXnelf8hWx\/3Lj+cNeiWf8AqhQBZooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA80+NX\/ACLh\/wCvd\/8A0fb0UfGr\/kXD\/wBe7\/8Ao+3ooA7HwZ\/yJGg\/9g63\/wDRa1tVi+DP+RI0H\/sHW\/8A6LWtqgAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAQ9DXG+MP9fYf9dZf\/REtdkehrjfGH+vsP+usv\/oiWgCl4T\/5C0X\/AFwuP\/QoK7SuM8Kf8heL\/rhcf+hQV2dABRRRQAUUUUAFFFFABUF7bfa7Vog5jbKsrgZ2spDA478gVPRQBmf2feH\/AJeLP\/wGf\/45R\/Z95\/z8Wf8A4DP\/APHK06KAMz+z7z\/n4s\/\/AAGf\/wCOUf2fef8APxZ\/+Az\/APxytOigDM\/s+8\/5+LP\/AMBn\/wDjlH9n3n\/PxZ\/+Az\/\/ABytOigDM\/s+8\/5+LP8A8Bn\/APjlH9n3n\/PxZ\/8AgM\/\/AMcrTooAzP7PvP8An4s\/\/AZ\/\/jlH9n3n\/PxZ\/wDgM\/8A8crTooAp2Vk9vLLLNMskkgVfkTYqqucADJPVic571meLf+PWy\/67v\/6IlrfrA8W\/8etn\/wBd3\/8AREtAHO6V\/wAhSy\/3Lj+cNeiWf+qFedaT\/wAhSy\/3Lj+cNei2f+qFAFmiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDzT41\/wDIun\/r3f8A9H29FHxr\/wCRdP8A17v\/AOj7eigDsfBn\/IkaD\/2Drf8A9FrW1XnPhn4peEdP8K6RZ3WreXcW9lDFKn2aY7WVACMhMHkdq0\/+Fu+C\/wDoM\/8AkrN\/8RQB2dFcZ\/wt3wX\/ANBn\/wAlZv8A4ij\/AIW74L\/6DP8A5Kzf\/EUAdnRXGf8AC3fBf\/QZ\/wDJWb\/4ij\/hbvgv\/oM\/+Ss3\/wARQB2dFcZ\/wt3wX\/0Gf\/JWb\/4ij\/hbvgv\/AKDP\/krN\/wDEUAdnRXGf8Ld8F\/8AQZ\/8lZv\/AIij\/hbvgv8A6DP\/AJKzf\/EUAdnRXGf8Ld8F\/wDQZ\/8AJWb\/AOIo\/wCFu+C\/+gz\/AOSs3\/xFAHZ0Vxn\/AAt3wX\/0Gf8AyVm\/+Io\/4W74L\/6DP\/krN\/8AEUAdnRXGf8Ld8F\/9Bn\/yVm\/+Io\/4W74L\/wCgz\/5Kzf8AxFAHZ0Vxn\/C3fBf\/AEGf\/JWb\/wCIo\/4W74L\/AOgz\/wCSs3\/xFAHZ0Vxn\/C3fBf8A0Gf\/ACVm\/wDiKP8Ahbvgv\/oM\/wDkrN\/8RQB2dFcZ\/wALd8F\/9Bn\/AMlZv\/iKP+Fu+C\/+gz\/5Kzf\/ABFAHZ0Vxn\/C3fBf\/QZ\/8lZv\/iKP+Fu+C\/8AoM\/+Ss3\/AMRQB2dFcZ\/wt3wX\/wBBn\/yVm\/8AiKP+Fu+C\/wDoM\/8AkrN\/8RQB2dFcZ\/wt3wX\/ANBn\/wAlZv8A4ij\/AIW74L\/6DP8A5Kzf\/EUAdkelcx4ssJri2Sa3jMkkD7wg6sCCrAe+1mx74qp\/wt3wX\/0Gf\/JWb\/4imP8AFrwU4wdZ\/wDJWb\/4igDmDPb7THJNZbVbPl3Xlqyn\/ck5H5UzfY\/3tF\/O2rbn+JHgiU5\/tcH\/ALdZv\/iKg\/4WD4I\/6C4\/8BZv\/iKAMvfZf3tF\/O2pN9l\/e0X87atX\/hYPgj\/oLj\/wFm\/+Io\/4WD4I\/wCguP8AwFm\/+IoAyt9l\/f0X87ajfZf3tF\/O2rV\/4WD4I\/6C4\/8AAWb\/AOIo\/wCFg+CP+guP\/AWb\/wCIoAyt9n\/e0X87ak32f97Rfztq1v8AhYPgj\/oLj\/wFm\/8AiKP+Fg+CP+guP\/AWb\/4igDJ32f8Ae0X87ajfZ\/3tF\/O2rW\/4WD4I\/wCguP8AwFm\/+Io\/4WD4I\/6C4\/8AAWb\/AOIoAyd9n\/e0X87ajfZ\/3tF\/O2rW\/wCFg+CP+guP\/AWb\/wCIo\/4WD4I\/6C4\/8BZv\/iKAMnfZ\/wB7RfztqTfaf3tG\/O2rX\/4WD4I\/6C4\/8BZv\/iKP+Fg+CP8AoLj\/AMBZv\/iKAMjfaf3tG\/O2o32n97Rvztq1\/wDhYPgj\/oLj\/wABZv8A4ij\/AIWD4I\/6C4\/8BZv\/AIigDI32n97RvztqN9p\/e0b87atf\/hYPgj\/oLj\/wFm\/+Io\/4WD4I\/wCguP8AwFm\/+IoAyN9p\/e0b87ajfaf3tG\/O2rX\/AOFg+CP+guP\/AAFm\/wDiKP8AhYPgj\/oLj\/wFm\/8AiKAMjfaf3tG\/O2p6z20W4xz6VGSCC0ckCnHfkc1qf8LB8Ef9Bcf+As3\/AMRR\/wALB8Ef9Bcf+As3\/wARQBN4dtJJ71ZyjrFGhWMupUsWILHB5x8qAZHY9sV39su2MVwcHxL8EQ4\/4nA\/8BZv\/iKvL8W\/BSjH9s\/+Ss3\/AMRQB2tFcZ\/wt3wX\/wBBn\/yVm\/8AiKP+Fu+C\/wDoM\/8AkrN\/8RQB2dFcZ\/wt3wX\/ANBn\/wAlZv8A4ij\/AIW74L\/6DP8A5Kzf\/EUAdnRXGf8AC3fBf\/QZ\/wDJWb\/4ij\/hbvgv\/oM\/+Ss3\/wARQB2dFcZ\/wt3wX\/0Gf\/JWb\/4ij\/hbvgv\/AKDP\/krN\/wDEUAdnRXGf8Ld8F\/8AQZ\/8lZv\/AIij\/hbvgv8A6DP\/AJKzf\/EUAdnRXGf8Ld8F\/wDQZ\/8AJWb\/AOIo\/wCFu+C\/+gz\/AOSs3\/xFAHZ0Vxn\/AAt3wX\/0Gf8AyVm\/+Io\/4W74L\/6DP\/krN\/8AEUAdnRXGf8Ld8F\/9Bn\/yVm\/+Io\/4W74L\/wCgz\/5Kzf8AxFAHZ0Vxn\/C3fBf\/AEGf\/JWb\/wCIo\/4W74L\/AOgz\/wCSs3\/xFAHZ0Vxn\/C3fBf8A0Gf\/ACVm\/wDiKP8Ahbvgv\/oM\/wDkrN\/8RQB2dFcZ\/wALd8F\/9Bn\/AMlZv\/iKP+Fu+C\/+gz\/5Kzf\/ABFAHZ0Vxn\/C3fBf\/QZ\/8lZv\/iKP+Fu+C\/8AoM\/+Ss3\/AMRQB2dFcZ\/wt3wX\/wBBn\/yVm\/8AiKP+Fu+C\/wDoM\/8AkrN\/8RQB2dFcZ\/wt3wX\/ANBn\/wAlZv8A4ij\/AIW74L\/6DP8A5Kzf\/EUAdnRXGf8AC3fBf\/QZ\/wDJWb\/4ij\/hbvgv\/oM\/+Ss3\/wARQB2dFcZ\/wt3wX\/0Gf\/JWb\/4ij\/hbvgv\/AKDP\/krN\/wDEUAdnRXGf8Ld8F\/8AQZ\/8lZv\/AIij\/hbvgv8A6DP\/AJKzf\/EUAdnRXGf8Ld8F\/wDQZ\/8AJWb\/AOIo\/wCFu+C\/+gz\/AOSs3\/xFAHZ0Vxn\/AAt3wX\/0Gf8AyVm\/+Io\/4W74L\/6DP\/krN\/8AEUAdnRXGf8Ld8F\/9Bn\/yVm\/+Io\/4W74L\/wCgz\/5Kzf8AxFAHZ0Vxn\/C3fBf\/AEGf\/JWb\/wCIo\/4W74L\/AOgz\/wCSs3\/xFAHZ0Vxn\/C3fBf8A0Gf\/ACVm\/wDiKP8Ahbvgv\/oM\/wDkrN\/8RQBj\/Gv\/AJF0\/wDXu\/8A6Pt6K574oeO\/D3iLRTBpOofaJfJZdvkyJyZYW\/iUdkb8qKAP\/9k=\" alt=\"xss.jpg\" \/><\/p><p>While cross-site scripting is a well-known flaw that is being widely used in phishing attacks, it requires an element of social engineering in order to be successful. As this web page would typically be accessible only from within an organisation an attacker would either require knowledge of internal systems, or would be using this in combination with other, more targeted attacks. This issue does, however, highlight the need to consider all network connected assets, such as printers, in a technical vulnerability management process.<\/p><p>For more information on this particular example, review BID 71911 (https:\/\/www.securityfocus.com\/bid\/71911). For general information on cross-site scripting, and on measures which can be used to prevent it, review the Open Web Application Security Project article at\u00a0<a href=\"https:\/\/www.owasp.org\/index.php\/XSS_\">https:\/\/www.owasp.org\/index.php\/XSS_<\/a>(Cross_Site_Scripting)_Prevention_Cheat_Sheet.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>The administration service web pages on the Brother MFC-J4410DW model printer are vulnerable to reflected cross-site scripting through the \u201curl\u201d querystring parameter. This allows a user\u2019s session to be hijacked or allows an attacker to take control of the user\u2019s browser. For cross-site scripting to be exploited by an attacker, a victim needs to visit [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[209],"class_list":["post-2861","post","type-post","status-publish","format-standard","hentry","category-researchblog","tag-infrastructure","wpbf-post"],"contentshake_article_id":"","yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Brother MFC-J4410DW Printer Administration XSS<\/title>\n<meta name=\"description\" content=\"The administration service web pages on the Brother MFC-J4410DW model printer are vulnerable to reflected cross-site scripting through the \u201curl\u201d\" \/>\n<meta name=\"robots\" content=\"noindex, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Brother MFC-J4410DW Printer Administration XSS\" \/>\n<meta property=\"og:description\" content=\"The administration service web pages on the Brother MFC-J4410DW model printer are vulnerable to reflected cross-site scripting through the \u201curl\u201d\" \/>\n<meta property=\"og:url\" content=\"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/brother-mfc-j4410dw-printer-administration-xss\/\" \/>\n<meta property=\"og:site_name\" content=\"Dionach\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/dionachcyber\" \/>\n<meta property=\"article:published_time\" content=\"2015-01-21T16:20:32+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-03-18T16:04:22+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/i0.wp.com\/dionach.development-visionsharp.co.uk\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg?fit=512%2C512&ssl=1\" \/>\n\t<meta property=\"og:image:width\" content=\"512\" \/>\n\t<meta property=\"og:image:height\" content=\"512\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Dionach Admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@dionachcyber\" \/>\n<meta name=\"twitter:site\" content=\"@dionachcyber\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Dionach Admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/brother-mfc-j4410dw-printer-administration-xss\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/brother-mfc-j4410dw-printer-administration-xss\\\/\"},\"author\":{\"name\":\"Dionach Admin\",\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/#\\\/schema\\\/person\\\/effca060e22bfa3cc6cd03f74a50fdb4\"},\"headline\":\"Brother MFC-J4410DW Printer Administration XSS\",\"datePublished\":\"2015-01-21T16:20:32+00:00\",\"dateModified\":\"2024-03-18T16:04:22+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/brother-mfc-j4410dw-printer-administration-xss\\\/\"},\"wordCount\":238,\"publisher\":{\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/#organization\"},\"keywords\":[\"infrastructure\"],\"articleSection\":[\"researchblog\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/brother-mfc-j4410dw-printer-administration-xss\\\/\",\"url\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/brother-mfc-j4410dw-printer-administration-xss\\\/\",\"name\":\"Brother MFC-J4410DW Printer Administration XSS\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/#website\"},\"datePublished\":\"2015-01-21T16:20:32+00:00\",\"dateModified\":\"2024-03-18T16:04:22+00:00\",\"description\":\"The administration service web pages on the Brother MFC-J4410DW model printer are vulnerable to reflected cross-site scripting through the \u201curl\u201d\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/brother-mfc-j4410dw-printer-administration-xss\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/brother-mfc-j4410dw-printer-administration-xss\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/brother-mfc-j4410dw-printer-administration-xss\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/homepage-usa\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Brother MFC-J4410DW Printer Administration XSS\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/#website\",\"url\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/\",\"name\":\"Dionach\",\"description\":\"Real Security in a Virtual World\",\"publisher\":{\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/#organization\",\"name\":\"Dionach\",\"url\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/dionach.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg\",\"contentUrl\":\"https:\\\/\\\/dionach.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg\",\"width\":512,\"height\":512,\"caption\":\"Dionach\"},\"image\":{\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/dionachcyber\",\"https:\\\/\\\/x.com\\\/dionachcyber\",\"https:\\\/\\\/uk.linkedin.com\\\/company\\\/dionach-ltd\",\"https:\\\/\\\/www.instagram.com\\\/dionachcyber\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/#\\\/schema\\\/person\\\/effca060e22bfa3cc6cd03f74a50fdb4\",\"name\":\"Dionach Admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g\",\"caption\":\"Dionach Admin\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Brother MFC-J4410DW Printer Administration XSS","description":"The administration service web pages on the Brother MFC-J4410DW model printer are vulnerable to reflected cross-site scripting through the \u201curl\u201d","robots":{"index":"noindex","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Brother MFC-J4410DW Printer Administration XSS","og_description":"The administration service web pages on the Brother MFC-J4410DW model printer are vulnerable to reflected cross-site scripting through the \u201curl\u201d","og_url":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/brother-mfc-j4410dw-printer-administration-xss\/","og_site_name":"Dionach","article_publisher":"https:\/\/www.facebook.com\/dionachcyber","article_published_time":"2015-01-21T16:20:32+00:00","article_modified_time":"2024-03-18T16:04:22+00:00","og_image":[{"width":512,"height":512,"url":"https:\/\/i0.wp.com\/dionach.development-visionsharp.co.uk\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg?fit=512%2C512&ssl=1","type":"image\/jpeg"}],"author":"Dionach Admin","twitter_card":"summary_large_image","twitter_creator":"@dionachcyber","twitter_site":"@dionachcyber","twitter_misc":{"Written by":"Dionach Admin","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/brother-mfc-j4410dw-printer-administration-xss\/#article","isPartOf":{"@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/brother-mfc-j4410dw-printer-administration-xss\/"},"author":{"name":"Dionach Admin","@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/#\/schema\/person\/effca060e22bfa3cc6cd03f74a50fdb4"},"headline":"Brother MFC-J4410DW Printer Administration XSS","datePublished":"2015-01-21T16:20:32+00:00","dateModified":"2024-03-18T16:04:22+00:00","mainEntityOfPage":{"@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/brother-mfc-j4410dw-printer-administration-xss\/"},"wordCount":238,"publisher":{"@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/#organization"},"keywords":["infrastructure"],"articleSection":["researchblog"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/brother-mfc-j4410dw-printer-administration-xss\/","url":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/brother-mfc-j4410dw-printer-administration-xss\/","name":"Brother MFC-J4410DW Printer Administration XSS","isPartOf":{"@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/#website"},"datePublished":"2015-01-21T16:20:32+00:00","dateModified":"2024-03-18T16:04:22+00:00","description":"The administration service web pages on the Brother MFC-J4410DW model printer are vulnerable to reflected cross-site scripting through the \u201curl\u201d","breadcrumb":{"@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/brother-mfc-j4410dw-printer-administration-xss\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/dionach.development-visionsharp.co.uk\/en-us\/brother-mfc-j4410dw-printer-administration-xss\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/brother-mfc-j4410dw-printer-administration-xss\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/homepage-usa\/"},{"@type":"ListItem","position":2,"name":"Brother MFC-J4410DW Printer Administration XSS"}]},{"@type":"WebSite","@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/#website","url":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/","name":"Dionach","description":"Real Security in a Virtual World","publisher":{"@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/#organization","name":"Dionach","url":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/#\/schema\/logo\/image\/","url":"https:\/\/dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg","contentUrl":"https:\/\/dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg","width":512,"height":512,"caption":"Dionach"},"image":{"@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/dionachcyber","https:\/\/x.com\/dionachcyber","https:\/\/uk.linkedin.com\/company\/dionach-ltd","https:\/\/www.instagram.com\/dionachcyber\/"]},{"@type":"Person","@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/#\/schema\/person\/effca060e22bfa3cc6cd03f74a50fdb4","name":"Dionach Admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g","caption":"Dionach Admin"}}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/ph4Ojq-K9","_links":{"self":[{"href":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/wp-json\/wp\/v2\/posts\/2861","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/wp-json\/wp\/v2\/comments?post=2861"}],"version-history":[{"count":0,"href":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/wp-json\/wp\/v2\/posts\/2861\/revisions"}],"wp:attachment":[{"href":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/wp-json\/wp\/v2\/media?parent=2861"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/wp-json\/wp\/v2\/categories?post=2861"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/wp-json\/wp\/v2\/tags?post=2861"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}