Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31579
HistoryDec 29, 2014 - 12:00 a.m.

BF and XSS vulnerabilities in D-Link DCS-2103

2014-12-2900:00:00
vulners.com
660
JSON

Hello 3APA3A!

There are Brute Force and Cross-Site Scripting vulnerabilities in D-Link DCS-2103 (IP camera). If previous Path Traversal and Full path disclosure vulnerabilities were post-auth, then these BF and XSS vulnerabilities are pre-auth.

Affected products:

Vulnerable is the next model: D-Link DCS-2103, Firmware 1.0.0. For BF vulnerability version 1.20 and previous versions are vulnerable.

Developers refused to fix BF vulnerability (they think that it's problem of a user to have strong password) and XSS vulnerability was fixed in firmware version 1.20.

Details:

Brute Force (WASC-11):

http://site

No protection from BF attacks.

Cross-Site Scripting (WASC-08):

http://site/vb.htm?%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

Timeline:

2014.05.22-2014.11.26 - conversation with D-Link about vulnerabilities in DAP-1360.
2014.08.01 - announced at my site about vulnerabilities in DCS-2103.
2014.11.14-2014.12.13 - conversation with D-Link about vulnerabilities in DCS-2103.
2014.12.16 - disclosed at my site (http://websecurity.com.ua/7288/).

I found this and other web cameras during summer to watch terrorists activities in Donetsk and Lugansks regions of Ukraine (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2014-November/009062.html) and also I took under control web cameras in Russia (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2014-December/009065.html).

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON