Full Disclosure mailing list archives
CVE-2018-12103
From: Kevin R <krandall2013 () gmail com>
Date: Sat, 23 Jun 2018 17:41:08 -0400
[Suggested description] An issue was discovered on D-Link DIR-890L A2 devices. Due to the predictability of the /docs/captcha_(number).jpeg URI, being local to the network, but unauthenticated to the administrator's panel, an attacker can disclose the CAPTCHAs used by the access point and can elect to load the CAPTCHA of their choosing, leading to unauthorized login attempts to the access point. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] D-Link ------------------------------------------ [Affected Product Code Base] DIR-890L - A2 ------------------------------------------ [Affected Component] Due to the predictability in the /docs/captcha_(number).jpeg while loading the CAPTCHA, an attacker can change the CAPTCHA to load and can load the same CAPTCHA each time. ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [CVE Impact Other] Predictability of CAPTCHA resulting in unauthorized login attempts to the
access point
------------------------------------------ [Attack Vectors] An attacker must be local to the network but unauthenticated to the
administrator's panel.
------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Kevin Randall
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CVE-2018-12103 Kevin R (Jul 02)