Vendors Contacted: TP-LINK
Vendor Patched: Yes, Firmware 140916
System Affected: N750 Wireless Dual Band Gigabit Router (TL-WDR4300), might affect others.
Versions Affected: 130617 , possibly earlier
CVE Numbers Assigned: CVE-2014-4727, CVE-2014-4728
It is possible inject javascript code via DHCP hostname field,
If the administrator will visit the dhcp clients page (web panel)
the script will execute.
Denial of service condition to the device web server, remotely or locally send the
device a "GET" request with an extra "Header" with a long value (A x 3000 times).
http://elisyan.com/tplink/wdr4300.html
http://elisyan.com/tplink/wdr4300.py
2014-07-04:
Vendor notified about the vulnerabilities with all the relevant technical information.
2013-09-16:
Vendor released a fix.
The Vulnerabilities was discovered by Oz Elisyan.
http://www.tp-link.com/lk/products/details/?model=TL-WDR4300