Bugtraq mailing list archives

Dlink Di-604 router authenticated user ping tool Xss and DoS

From: Ewerson Guimarães (Crash) - Dclabs <crash () dclabs com br>
Date: Tue, 8 Jun 2010 19:05:11 -0300

[DCA-0001]
[Dlink Di-604 router authenticated user ping tool Xss and DoS]

[vendor product description]
The DI-604 combines the latest advancements in chip technology,
low-cost design and manufacturing with new, feature-rich firewall and
network management controls to give you quite possibly the most
advanced, yet affordable Ethernet router to date.


[Bug Description]
'Ping tools' web interface does not validate the ip textfield size
leading to a Denial Of Service flaw by changing its size and sending
more than 500 characters to it. This textfield is also prone to Cross
Site Scripting. An authenticated user is required to exploit these
security flaws.


[History]
Adv sent to vendor 05/25/2010
No vendor response
Published 06/08/2010


[Impact]
Low

[Afected Version]
All firmware

[Vendor Reply]


------------------------------------------------------------------------------------------------

[Codes]
No codes are needed



--------------------------------------------
DcLabs - Sponsor: Crash
crash () dclabs com br

[Greetz]
Ipax - Alequimico - Gr1nch - Raphx88
------------------------------------

Current thread:

Dlink Di-604 router authenticated user ping tool Xss and DoS Crash (Jun 09)
- <Possible follow-ups>
- Re: Dlink Di-604 router authenticated user ping tool Xss and DoS swbaes (Jun 16)