[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] TP-LINK WDR4300 - Stored XSS & DoS

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] TP-LINK WDR4300 - Stored XSS & DoS
From: Oz Elisyan <ozelisyan@xxxxxxxxx>
Date: Mon, 22 Sep 2014 02:59:33 +0300

Advisory Information
===============

Vendors Contacted: TP-LINK
Vendor Patched: Yes, Firmware 140916
System Affected: N750 Wireless Dual Band Gigabit Router (TL-WDR4300), might
affect others.
Versions Affected: 130617 , possibly earlier
CVE Numbers Assigned: CVE-2014-4727, CVE-2014-4728


Vulnerabilities Description
===================

# Stored XSS -

It is possible inject javascript code via DHCP hostname field,
If the administrator will visit the dhcp clients page (web panel)
the script will execute.

# DoS (web server) -
Denial of service condition to the device web server, remotely or locally
send the
device a "GET" request with an extra "Header" with a long value (A x 3000
times).


Proof of Concept:
============

http://elisyan.com/tplink/wdr4300.html
http://elisyan.com/tplink/wdr4300.py

Report Timeline:
===========

2014-07-04:
Vendor notified about the vulnerabilities with all the relevant technical
information.

2014-09-16:
Vendor released a fix.

Credits:
======

The Vulnerabilities was discovered by Oz Elisyan.


References:
========

http://www.tp-link.com/lk/products/details/?model=TL-WDR4300

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] CVE-2014-6603 suricata 2.0.3 Out-of-bounds access in SSH parser
Next by Date: [FD] Strength and Weakness of Methods to Confirm SSH Host Key
Previous by thread: [FD] CVE-2014-6603 suricata 2.0.3 Out-of-bounds access in SSH parser
Next by thread: [FD] Strength and Weakness of Methods to Confirm SSH Host Key
Index(es):
- Date
- Thread