Wednesday, May 19, 2010

D-Link Router XSS vulnerability found by w01f Labs

I have discover a Cross site Scripting (XSS) vulnerability on my own D-Link Router while working on fuzzing and vulnerability research last week. This vulnerability allows injecting of arbitrary HTML and malicious script code in the user's browser session.

Discovered Date: May 14, 2010
System affected: D-Link DI-724P+ Router, Firmware Version: v1.03

For more detail on this vulnerability, visit my research site - w01f Labs

Other References:
- SecurityFocus: D-Link DI-724P+ Router 'wlap.htm' HTML Injection Vulnerability
- OSVDB 65002 : D-Link DI-724P+ Admin Interface wlap.htm GET String XSS
- SANS: @RISK: The Consensus Security Vulnerability Alert

No comments: