Overview
The DIR-615 Rev. Ex ontains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the redpass.cgi script does not require multiple steps or explicit confirmation for sensitive transactions for the manipulation of an configuration data. An attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.
References
http://security-geek.in/blog/ - http://packetstormsecurity.com/files/125307/D-LINK-DIR-615-Cross-Site-Request-Forgery.html
Details
- Authenticating to the web management interface from one IP opens up passwordless access from all other IPs.
- Passwords are not encrypted as shown by requesting the a backup of the configuration file.
- No CSRF mitigations are in place and it is not apparent how to log out from the web interface after making changes
- XSS payloads can be injected into the web interface ping utility. For example, posting to ping_response.cgi with ping_ipaddr=8.8.8.8"><img src=x onerror=alert(1)> will plant XSS that will subsequently be executed when a user visits the diagnostics page where ping results are displayed.
- Several information disclosures reveal system configuration to unauthorized requests.
Affected Products
Security patch for your D-Link Devices
These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.