Full Disclosure mailing list archives

D-Link DI-724P+ Router - Cross Site Scripting Vulnerability

From: werew01f <hack.werew01f () gmail com>
Date: Wed, 19 May 2010 09:26:02 +0800

Security Advisory: D-Link DI-724P+ Router - Cross Site Scripting Vulnerability
========================================================

System affected: D-Link DI-724P+ Router, Firmware Version: v1.03

Vulnerability Description:
==================
Cross Site Scripting (XSS) vulnerability was found on the D-Link
DI-724P+ Router,  which can be exploited by conducting a cross-site
scripting attacks.

In the Admin web interface, under the "wireless" tab, script can be
injected from the GET string. This can be exploited by injecting
arbitrary HTML and malicious script code, which will execute in a
user's browser session.

The vulnerable URL: http://192.168.0.1/wlap.htm (the default admin IP
is 192.168.0.1).

Researcher Info:
============
Discovered by: w01f
Website: http://labs-werew01f.blogspot.com
E-mail: hack [dot] werew01f [at] gmail [dot] com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

D-Link DI-724P+ Router - Cross Site Scripting Vulnerability werew01f (May 19)