D-Link DI-804 Router Direct Request Authentication Bypass

2002-08-22T00:00:00
ID OSVDB:9410
Type osvdb
Reporter Roger McLaren(rmclaren@vcss.k12.ca.us)
Modified 2002-08-22T00:00:00

Description

Vulnerability Description

D-Link DI-804 router contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the remote administration mode is enabled. It is possible for a remote attacker to gain unauthorized access to the device information and status pages which will disclose the WAN IP address, MAC address for LAN/WAN interface, and Dynamic Host Configuration Protocol (DHCP) logs resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Disable the "remote administration" mode on the router.

Short Description

D-Link DI-804 router contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the remote administration mode is enabled. It is possible for a remote attacker to gain unauthorized access to the device information and status pages which will disclose the WAN IP address, MAC address for LAN/WAN interface, and Dynamic Host Configuration Protocol (DHCP) logs resulting in a loss of confidentiality.

References:

Vendor URL: http://www.dlink.com/ Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-08/0232.html ISS X-Force ID: 9969 CVE-2002-1069 Bugtraq ID: 5553