Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
openvasCopyright (C) 2013 Greenbone AGOPENVAS:1361412562310803752
HistorySep 03, 2013 - 12:00 a.m.

TP-Link TD-W8951ND XSS and CSRF Vulnerabilities

2013-09-0300:00:00
Copyright (C) 2013 Greenbone AG
plugins.openvas.org
16

AI Score

6.6

Confidence

High

JSON

TP-Link TD-W8951ND is prone to cross-site scripting (XSS) and
cross-site request forgery (CSRF) vulnerabilities.

# SPDX-FileCopyrightText: 2013 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.803752");
  script_version("2024-06-28T05:05:33+0000");
  script_tag(name:"cvss_base", value:"6.8");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_tag(name:"last_modification", value:"2024-06-28 05:05:33 +0000 (Fri, 28 Jun 2024)");
  script_tag(name:"creation_date", value:"2013-09-03 13:14:17 +0530 (Tue, 03 Sep 2013)");
  script_name("TP-Link TD-W8951ND XSS and CSRF Vulnerabilities");

  script_tag(name:"summary", value:"TP-Link TD-W8951ND is prone to cross-site scripting (XSS) and
  cross-site request forgery (CSRF) vulnerabilities.");

  script_tag(name:"vuldetect", value:"Send a crafted data via HTTP request and check whether it is able to read
  the cookie or not.");

  script_tag(name:"solution", value:"Firmware update is available.");

  script_tag(name:"solution_type", value:"VendorFix");

  script_tag(name:"insight", value:"Multiple flaws are due to:

  - Input passed to the 'Referer' header in HTTP request is not properly
   sanitised before being returned to the user.

  - Input passed to the 'wlanWEBFlag', 'AccessFlag', 'wlan_APenable' parameter
   in '/Forms/home_wlan_1' is not properly sanitised before being returned to
   the user.

  - Input passed to the 'PingIPAddr' parameter in '/Forms/tools_test_1' is not
   properly sanitised before being returned to the user.");

  script_tag(name:"affected", value:"TP-Link TD-W8951ND Firmware 4.0.0 Build 120607, Other versions may also be
  affected.");

  script_tag(name:"impact", value:"Successful exploitation will allow attacker to execute arbitrary script
  code in the browser of an unsuspecting user in the context of the affected site.");

  script_xref(name:"URL", value:"http://packetstormsecurity.com/files/123016");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/62103");
  script_xref(name:"URL", value:"http://exploitsdownload.com/exploit/na/tp-link-td-w8951nd-cross-site-request-forgery-cross-site-scripting");

  script_category(ACT_ATTACK);
  script_tag(name:"qod_type", value:"remote_analysis");
  script_copyright("Copyright (C) 2013 Greenbone AG");
  script_family("Web application abuses");
  script_dependencies("gb_get_http_banner.nasl");
  script_require_ports("Services/www", 80);
  script_mandatory_keys("TD-W8951ND/banner");

  exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");
include("port_service_func.inc");

http_port = http_get_port(default:80);

banner = http_get_remote_headers(port: http_port);
if(banner && 'WWW-Authenticate: Basic realm="TD-W8951ND"' >!< banner){
  exit(0);
}

host = http_host_name(port:http_port);

req = string("GET /doesnotexists HTTP/1.1\r\n",
             "Host: ", host, "\r\n",
             'Referer: http://pwned"><script>alert(document.cookie)</script>', '\r\n',
             'Connection: keep-alive', '\r\n\r\n');

res = http_keepalive_send_recv(port:http_port,data:req);

if(res =~ "^HTTP/1\.[01] 200" && "RomPager server" >< res &&
   "><script>alert(document.cookie)</script>" >< res)
{
  security_message(http_port);
  exit(0);
}

exit(99);

AI Score

6.6

Confidence

High

JSON