Dlink Di-604 router authenticated user ping tool Xss and DoS

2010.06.17
Credit: Ewerson Guimares
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2010-2292 | CVE-2010-2293
CWE: CWE-79
CWE-20

[DCA-0001] [Dlink Di-604 router authenticated user ping tool Xss and DoS] [vendor product description] The DI-604 combines the latest advancements in chip technology, low-cost design and manufacturing with new, feature-rich firewall and network management controls to give you quite possibly the most advanced, yet affordable Ethernet router to date. [Bug Description] 'Ping tools' web interface does not validate the ip textfield size leading to a Denial Of Service flaw by changing its size and sending more than 500 characters to it. This textfield is also prone to Cross Site Scripting. An authenticated user is required to exploit these security flaws. [History] Adv sent to vendor 05/25/2010 No vendor response Published 06/08/2010 [Impact] Low [Afected Version] All firmware [Vendor Reply] ------------------------------------------------------------------------ ------------------------ [Codes] No codes are needed -------------------------------------------- DcLabs - Sponsor: Crash crash (at) dclabs.com (dot) br [email concealed] [Greetz] Ipax - Alequimico - Gr1nch - Raphx88 ------------------------------------

References:

http://xforce.iss.net/xforce/xfdb/59366
http://www.securityfocus.com/bid/40691
http://www.securityfocus.com/archive/1/archive/1/511751/100/0/threaded


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top