Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

NDSA20070412.txt

🗓️ 04 May 2007 00:00:00Reported by Tim BrownType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 16 Views

Nth Dimension Security Advisory on D-Link DSL-G624T Router Vulnerabilitie

Code
`Nth Dimension Security Advisory (NDSA20070412)  
Date: 12th April 2007  
Author: Tim Brown <mailto:[email protected]>  
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>  
Product: DSL-G624T router (V3.00B01T02.UK-A.20060208)  
<http://www.dlink.co.uk/?go=gNTyP9CgrdFOIC4AStFCF834mptYKO9ZTdvhLPG3yV3oVo5+hKltbNlwaaFp7DQtFzrqyCJG948BANfh>  
Vendor: D-Link <http://www.dlink.co.uk/>  
Risk: Medium  
  
Summary  
  
Following the Securiteam posting "D-Link DSL-G604T Wireless Router  
Directory Traversal" which described a directory traversal in release  
V1.00B02T02.EU.20040618 of the DSL-G624T router firmware, research  
was carried out on the DSL-G624T router which indicated that it too  
was vulnerable to this and a second vulnerability. Nth Dimension  
would also point out that the directory traversal have been reported in  
other router and firmware combinations.  
  
1) Firmware CGI is vulnerable to directory traversal and can be made  
to retrieve any file to which the web server user has read access  
(for example /etc/shadow).  
  
2) Firmware CGI is vulnerable to Javascript injection within the   
requested URL.  
  
Technical Details  
  
1) The firmware CGI script can be made to read any arbitrary file that  
the web server user has read access to, as it makes no sanity checks on  
the value passed within the getpage parameter of the URL, for example:  
  
http://192.168.1.1/cgi-bin/webcm?getpage=/etc/shadow  
  
In the event that the user has not authenticated, then the user is prompted  
for authentication credentials before the request is processed.  
  
As noted above this vulnerability bares an uncanny resemblance to a previously  
reported vulnerability with another D-Link router running a (presumably) older  
version of the firmware.  
  
2) The value of the URL requested is used in within the web pages returned  
by the firmware CGI script, in its unsanitised form. Specifically, it makes  
no sanity checks on the value passed within the var:RelaodHref parameter of the  
URL, for example:  
  
http://192.168.1.1/cgi-bin/webcm?getpage=../html/home/home_RelaodHref.htm&var:RelaodHref=a"%20==%20"a"){alert("XSS")}}</script>  
  
As with the example of Javascript injection, the user will be  
prompted to authenticate if required.  
  
Combining these vulnerabilities should allow the compromise of any router  
running affected firmware versions.  
  
Solutions  
  
Unfortunately, Nth Dimension are unware of any fixes for these issues  
at the current time. Note that 2 years have elapsed, and 2 major releases  
of the firmware have occurred since the original Securiteam advisory were  
published.`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 May 2007 00:00Current
7.4High risk
Vulners AI Score7.4
directory traversaljavascript injectionweb serverauthenticationfirmware cgixssrouter securityd-linknth dimension
16