The Broadband Guide
SG
search advanced

Researcher warns about critical flaw in D-Link routers

2013-02-07 09:34 by
Tags: , ,

 

Security expert Michael Messner has identified several security flaws in D-Link's DIR-300 and DIR-600 routers that could allow remote attackers to inject execute arbitrary shell commands via a simple POST request without being authenticated to the device or by tricking the routers' owners into sending the request themselves.

According to Messner, even if a router is not directly accessible via the internet, the hole poses a significant security risk: an attacker could use a specially crafted page to trick router owners into sending the script call to their routers through their local network (Cross-Site Request Forgery, CSRF).

Among other things, the router saves the root password in plain text in the var/passwd file. Together with the previously described hole, this turns the task of extracting the root password into child's play not that it is necessary, as potential attackers can already execute commands at root level anyway.

Messner has notified D-Link about the existence of the flaw back in December 2012. The company responded a little less than two weeks ago, claiming that the problem is browser-related and that they are not planning on providing a fix.

Read more -here-

 

  Post your review/comments
    rate:
   avg:
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About