Sign-up

ID

VAR-201005-0438


TITLE

U.S.Robotics USR5463 firmware '/cgi-bin/setup_ddns.exe' cross-site request forgery vulnerability

Trust: 0.9

sources: CNVD: CNVD-2010-0957 // BID: 40348

DESCRIPTION

U.S.Robotics USR5463 is a popular router device in foreign countries. The application device does not properly perform any legal verification of the request, allowing the user to perform partial management operations through HTTP requests. If you build malicious parameters passed to the /cgi-bin/setup_ddns.exe script and entice the user to click, you can change the device configuration and more. U.S.Robotics USR5463 firmware is prone to a cross-site request-forgery vulnerability. Successful exploits may allow attackers to perform unauthorized actions on the affected device in the context of a logged-in user. This may allow attackers to gain access to or modify sensitive information and perform HTML-injection attacks. U.S.Robotics USR5463 firmware versions 0.01 through 0.06 are vulnerable. ---------------------------------------------------------------------- Stay Compliant Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions Free Trial http://secunia.com/products/corporate/evm/trial/ ---------------------------------------------------------------------- TITLE: USR5463 802.11g Wireless Router Cross-Site Request Forgery SECUNIA ADVISORY ID: SA39889 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/39889/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=39889 RELEASE DATE: 2010-05-25 DISCUSS ADVISORY: http://secunia.com/advisories/39889/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/39889/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=39889 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: David K. has reported a vulnerability in the USR5463 802.11g Wireless Router, which can be exploited by malicious people to conduct cross-site request forgery attacks. This can be exploited to e.g. conduct script insertion attacks via specially crafted parameters passed to the /cgi-bin/setup_ddns.exe script. SOLUTION: Do not browse untrusted websites or follow untrusted links while logged-in to the device. PROVIDED AND/OR DISCOVERED BY: David K. OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 0.9

sources: CNVD: CNVD-2010-0957 // BID: 40348 // PACKETSTORM: 89926

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2010-0957

AFFECTED PRODUCTS

vendor:nomodel: - scope: - version: -

Trust: 0.6

vendor:u s roboticsmodel:usr5463scope:eqversion:0.06

Trust: 0.3

vendor:u s roboticsmodel:usr5463scope:eqversion:0.05

Trust: 0.3

vendor:u s roboticsmodel:usr5463scope:eqversion:0.04

Trust: 0.3

vendor:u s roboticsmodel:usr5463scope:eqversion:0.03

Trust: 0.3

vendor:u s roboticsmodel:usr5463scope:eqversion:0.02

Trust: 0.3

vendor:u s roboticsmodel:usr5463scope:eqversion:0.01

Trust: 0.3

sources: CNVD: CNVD-2010-0957 // BID: 40348

THREAT TYPE

network

Trust: 0.3

sources: BID: 40348

TYPE

Design Error

Trust: 0.3

sources: BID: 40348

EXTERNAL IDS

db:BIDid:40348

Trust: 0.9

db:SECUNIAid:39889

Trust: 0.7

db:CNVDid:CNVD-2010-0957

Trust: 0.6

db:PACKETSTORMid:89926

Trust: 0.1

sources: CNVD: CNVD-2010-0957 // BID: 40348 // PACKETSTORM: 89926

REFERENCES

url:http://secunia.com/advisories/39889/

Trust: 0.7

url:http://www.usr-emea.com/support/s-prod-template.asp?loc=emea&prod=5463

Trust: 0.3

url:http://secunia.com/products/corporate/evm/

Trust: 0.1

url:http://secunia.com/advisories/secunia_security_advisories/

Trust: 0.1

url:http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

Trust: 0.1

url:http://secunia.com/vulnerability_scanning/personal/

Trust: 0.1

url:https://ca.secunia.com/?page=viewadvisory&vuln_id=39889

Trust: 0.1

url:http://secunia.com/advisories/39889/#comments

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.1

url:http://secunia.com/products/corporate/evm/trial/

Trust: 0.1

url:http://secunia.com/advisories/about_secunia_advisories/

Trust: 0.1

sources: CNVD: CNVD-2010-0957 // BID: 40348 // PACKETSTORM: 89926

CREDITS

David K.

Trust: 0.3

sources: BID: 40348

SOURCES

db:CNVDid:CNVD-2010-0957
db:BIDid:40348
db:PACKETSTORMid:89926

LAST UPDATE DATE

2022-05-17T02:10:51.449000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2010-0957date:2010-05-26T00:00:00
db:BIDid:40348date:2010-05-25T18:32:00

SOURCES RELEASE DATE

db:CNVDid:CNVD-2010-0957date:2010-05-26T00:00:00
db:BIDid:40348date:2010-05-25T00:00:00
db:PACKETSTORMid:89926date:2010-05-25T14:19:55