Sign-up

ID

VAR-200803-0062


CVE

CVE-2008-1266


TITLE

D-Link DI-524 On the router Web Interface buffer overflow vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2008-002828

DESCRIPTION

Multiple buffer overflows in the web interface on the D-Link DI-524 router allow remote attackers to cause a denial of service (device crash) or possibly have unspecified other impact via (1) a long username or (2) an HTTP header with a large name and an empty value. (1) Excessively long username (2) Have an overly large name and a blank value HTTP header. D-Link is an internationally renowned provider of network equipment and solutions, and its products include a variety of router equipment.  D-Link DI-524 has multiple vulnerabilities in processing user requests. Remote attackers may use these vulnerabilities to make device services unavailable or perform cross-site scripting attacks.  The D-Link DI-524 router does not properly handle the login request sent to the web interface. collapse.  The D-Link DI-604 router did not properly filter the input passed to the rf parameter in prim.htm and returned it to the user, which could cause arbitrary HTML and script code to be executed in the user's browser session.  The D-Link DSL-G604T router did not properly filter the input passed to the var: category parameter in cgi-bin / webcm and returned it to the user, which could cause arbitrary HTML and script code to be executed in the user's browser session. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. D-Link is a network company founded by Taiwan D-Link Group, dedicated to the R&D, production and marketing of LAN, broadband network, wireless network, voice network and related network equipment. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: D-Link DI-524 Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA29366 VERIFY ADVISORY: http://secunia.com/advisories/29366/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network OPERATING SYSTEM: D-Link DI-524 http://secunia.com/product/8028/ DESCRIPTION: laurent has reported two vulnerabilities in D-Link DI-524, which can be exploited by malicious people to cause a DoS (Denial of Service). SOLUTION: Restrict access to trusted users only. PROVIDED AND/OR DISCOVERED BY: laurent ORIGINAL ADVISORY: http://www.gnucitizen.org/projects/router-hacking-challenge/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.61

sources: NVD: CVE-2008-1266 // JVNDB: JVNDB-2008-002828 // CNVD: CNVD-2008-5921 // BID: 28439 // VULHUB: VHN-31391 // PACKETSTORM: 64867

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2008-5921

AFFECTED PRODUCTS

vendor:d linkmodel:di-524scope: - version: -

Trust: 1.4

vendor:dlinkmodel:di-524scope:eqversion:*

Trust: 1.0

vendor:nonemodel: - scope: - version: -

Trust: 0.6

vendor:d linkmodel:dsl-g604tscope: - version: -

Trust: 0.3

vendor:d linkmodel:di-604scope: - version: -

Trust: 0.3

vendor:d linkmodel:di-524scope:eqversion:0

Trust: 0.3

sources: CNVD: CNVD-2008-5921 // BID: 28439 // JVNDB: JVNDB-2008-002828 // CNNVD: CNNVD-200803-144 // NVD: CVE-2008-1266

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2008-1266
value: HIGH

Trust: 1.0

NVD: CVE-2008-1266
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200803-144
value: MEDIUM

Trust: 0.6

VULHUB: VHN-31391
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2008-1266
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-31391
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-31391 // JVNDB: JVNDB-2008-002828 // CNNVD: CNNVD-200803-144 // NVD: CVE-2008-1266

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-31391 // JVNDB: JVNDB-2008-002828 // NVD: CVE-2008-1266

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200803-144

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-200803-144

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2008-002828

PATCH
title:Top Pageurl:http://www.dlink.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2008-002828

EXTERNAL IDS
db:NVDid:CVE-2008-1266
Trust: 3.4
db:BIDid:28439
Trust: 2.0
db:SECUNIAid:29366
Trust: 1.8
db:JVNDBid:JVNDB-2008-002828
Trust: 0.8
db:CNNVDid:CNNVD-200803-144
Trust: 0.7
db:CNVDid:CNVD-2008-5921
Trust: 0.6
db:VULHUBid:VHN-31391
Trust: 0.1
db:PACKETSTORMid:64867
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2008-5921 // 
            
            
            
            VULHUB: VHN-31391 // 
            
            
            
            BID: 28439 // 
            
            
            
            JVNDB: JVNDB-2008-002828 // 
            
            
            
            PACKETSTORM: 64867 // 
            
            
            
            CNNVD: CNNVD-200803-144 // 
            
            
            
            NVD: CVE-2008-1266

REFERENCES
url:http://www.gnucitizen.org/projects/router-hacking-challenge/
Trust: 2.1
url:http://www.securityfocus.com/bid/28439
Trust: 1.7
url:http://www.securityfocus.com/archive/1/489009/100/0/threaded
Trust: 1.7
url:http://secunia.com/advisories/29366
Trust: 1.7
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/41125
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-1266
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-1266
Trust: 0.8
url:http://www.d-link.com/
Trust: 0.3
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/product/8028/
Trust: 0.1
url:https://psi.secunia.com/?page=changelog
Trust: 0.1
url:https://psi.secunia.com/
Trust: 0.1
url:http://secunia.com/advisories/29366/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-31391 // 
            
            
            
            BID: 28439 // 
            
            
            
            JVNDB: JVNDB-2008-002828 // 
            
            
            
            PACKETSTORM: 64867 // 
            
            
            
            CNNVD: CNNVD-200803-144 // 
            
            
            
            NVD: CVE-2008-1266

CREDITS
Gareth Heyeslaurent
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200803-144

SOURCES
db:CNVDid:CNVD-2008-5921
db:VULHUBid:VHN-31391
db:BIDid:28439
db:JVNDBid:JVNDB-2008-002828
db:PACKETSTORMid:64867
db:CNNVDid:CNNVD-200803-144
db:NVDid:CVE-2008-1266

LAST UPDATE DATE
2025-04-10T20:57:05.632000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2008-5921date:2008-12-07T00:00:00
db:VULHUBid:VHN-31391date:2018-10-11T00:00:00
db:BIDid:28439date:2008-03-26T16:10:00
db:JVNDBid:JVNDB-2008-002828date:2012-06-26T00:00:00
db:CNNVDid:CNNVD-200803-144date:2023-04-27T00:00:00
db:NVDid:CVE-2008-1266date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:CNVDid:CNVD-2008-5921date:2008-12-07T00:00:00
db:VULHUBid:VHN-31391date:2008-03-10T00:00:00
db:BIDid:28439date:2008-03-25T00:00:00
db:JVNDBid:JVNDB-2008-002828date:2012-06-26T00:00:00
db:PACKETSTORMid:64867date:2008-03-26T00:09:25
db:CNNVDid:CNNVD-200803-144date:2008-03-10T00:00:00
db:NVDid:CVE-2008-1266date:2008-03-10T17:44:00