D-Link DIR-890L A2 Improper Access Control

2018-07-03 / 2018-07-02
Credit: Kevin Randall
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

[Suggested description] An issue was discovered on D-Link DIR-890L A2 devices. Due to the predictability of the /docs/captcha_(number).jpeg URI, being local to the network, but unauthenticated to the administrator's panel, an attacker can disclose the CAPTCHAs used by the access point and can elect to load the CAPTCHA of their choosing, leading to unauthorized login attempts to the access point. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] D-Link ------------------------------------------ [Affected Product Code Base] DIR-890L - A2 ------------------------------------------ [Affected Component] Due to the predictability in the /docs/captcha_(number).jpeg while loading the CAPTCHA, an attacker can change the CAPTCHA to load and can load the same CAPTCHA each time. ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [CVE Impact Other] Predictability of CAPTCHA resulting in unauthorized login attempts to the access point ------------------------------------------ [Attack Vectors] An attacker must be local to the network but unauthenticated to the administrator's panel. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Kevin Randall


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top