D-Link DCS-2103 Brute Force / Cross Site Scripting

2014-12-16T00:00:00
ID PACKETSTORM:129609
Type packetstorm
Reporter MustLive
Modified 2014-12-16T00:00:00

Description

                                        
                                            `Hello list!  
  
There are Brute Force and Cross-Site Scripting vulnerabilities in D-Link   
DCS-2103 (IP camera). If previous Path Traversal and Full path disclosure   
vulnerabilities were post-auth, then these BF and XSS vulnerabilities are   
pre-auth.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable is the next model: D-Link DCS-2103, Firmware 1.0.0. For BF   
vulnerability version 1.20 and previous versions are vulnerable.  
  
Developers refused to fix BF vulnerability (they think that it's problem of   
a user to have strong password) and XSS vulnerability was fixed in firmware   
version 1.20.  
  
----------  
Details:  
----------  
  
Brute Force (WASC-11):  
  
http://site  
  
No protection from BF attacks.  
  
Cross-Site Scripting (WASC-08):  
  
http://site/vb.htm?%3Cscript%3Ealert%28document.cookie%29%3C/script%3E  
  
------------  
Timeline:  
------------  
  
2014.05.22-2014.11.26 - conversation with D-Link about vulnerabilities in   
DAP-1360.  
2014.08.01 - announced at my site about vulnerabilities in DCS-2103.  
2014.11.14-2014.12.13 - conversation with D-Link about vulnerabilities in   
DCS-2103.  
2014.12.16 - disclosed at my site (http://websecurity.com.ua/7288/).  
  
I found this and other web cameras during summer to watch terrorists   
activities in Donetsk and Lugansks regions of Ukraine   
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2014-November/009062.html)   
and also I took under control web cameras in Russia   
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2014-December/009065.html).  
  
Best wishes & regards,  
Eugene Dokukin aka MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
`