D-Link DSL-2740B Multiple CSRF Vulnerabilities | CVE-2013-5730

I’ve discovered new multiple CSRF vulnerabilities affecting D-Link DSL-2740B ADSL router allowing an attacker to carry out malicious activities, as:

  • Disable/Enable Wireless MAC Address Filter.
  • Disable/Enable all the Firewall protections (Both “SPI” and “DOS and Portscan Protection”).
  • Enable/Disable Remote Management (in my exploit I enabled remote management via http – tcp port 80 – and ssh – tcp port 22 -).

Many other changes can be performed.

For more details please read my Original Advisory:
D-Link DSL-2740B Multiple CSRF Vulnerabilities

MITRE CVE Numbering Authority assigned me CVE-2013-5730 for these vulnerabilities.

The vendor (D-Link) confirmed this vulnerability and  is pending a new firmware release that fixes this security issue:
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10004

My Advisory has been also published in the following web sites:
http://www.securityfocus.com/bid/62356/
http://secunia.com/advisories/54795
http://www.exploit-db.com/exploits/28239/
http://1337day.com/exploits/21225
http://osvdb.org/show/osvdb/97278
http://xforce.iss.net/xforce/xfdb/87036
http://packetstormsecurity.com/files/123200/D-Link-DSL-2740B-Cross-Site-Request-Forgery.html
http://www.securelist.com/en/advisories/54795
http://www.scip.ch/en/?vuldb.10296
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10004
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5730
http://cert-mu.gov.mu/English/Pages/Vulnerability%20Notes/2013/VN-2013-220.aspx
http://en.securitylab.ru/nvd/447902.php
Japan CERT (Computer Emergency Response Team)

Update on Google Translate CSRF Vulnerability | Google is fixing the issue

Hey there,
some days ago – 15th of August (2013) – I received the following email from Google Security Team about my latest Google Translate vulnerability:

Hello,
This issue has been fixed and verified by a security engineer – feel free to test and see if we’ve missed anything.
Thanks for all your help!
Regards,
Google Security Team

I cannot hide that, considering what happened in the previous months (read my previous post on this topic),  I have been surprised and happy – I have to admit it 🙂 – to receive an email from Google Security Team in order to inform me that they fixed this vulnerability, independently from the reward that I did not receive.

In the above email they proposed me to test again the vulnerability in order to establish if their fixing activities have been performed correctly.

Yesterday (1st September 2013) I carried out new tests and – unfortunately –  I’ve verified that the vulnerability I discovered is still affecting Google Translate. After the analysis I’ve quickly contacted Google Security team in order to share the results of my tests with the purpose to patch as soon as possible this security issue.

I guess that I will share soon new information about this vulnerability.

Stay tuned!

Translate.google.com | CSRF Vulnerability

I  have discovered a new CSRF vulnerability on translate.google.com web site which could allow an attacker to insert items (Words/Phrases/Urls and related translations) into the user’s Phrasebook. Furthermore an attacker could also insert a potentially malicious Urls – into the above mentioned Phrasebook – towards which the victim could be redirected simply clicking on the “Go to <website>” right-click option on translate.google.com.
The vulnerability is related to a problem into the generation of “xt” anti-CSRF token which is not correctly associated with the user session, allowing an attacker to use any previous generated anti-CSRF parameter – for that specific user- in order to carry out this attack.

For more details, please read my original Advisory:
CSRF Vulnerability on translate.google.com

My research has been also published on PacketStorm:
Google Translate Cross Site Request Forgery

Update (15 August, 2013): I received an email by Google Security Team:

Hello,
This issue has been fixed and verified by a security engineer – feel free to test and see if we’ve missed anything.
Thanks for all your help!

Regards,
Google Security Team

D-Link DSL-2740B (ADSL Router) Authentication Bypass | CVE-2013-2271

I’ve discovered a new vulnerability affecting D-Link DSL-2740B ADSL Wifi Router, which allows an attacker to completely bypass the authentication of this device and gain administrative access.

Fore more details, please read my Advisory:

D-Link DSL-2740B (ADSL Router) Authentication Bypass

MITRE CVE Numbering Authority assigned me CVE-2013-2271 for this vulnerability.

NIST – NVD (Nation Vulnerability Database) published my Advisory:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2271

Department of Homeland Security / US-CERT published my Advisory into the Security Bulletin SB13-329:
https://www.us-cert.gov/ncas/bulletins/SB13-329

The vendor (D-Link) confirmed this vulnerability and  is pending a new firmware release that fixes this security issue:
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10004

This advisory has been also published in the following web sites:
http://www.securityfocus.com/bid/58266/info
http://packetstormsecurity.com/files/120613/dlinkdsl2740b-bypass.txt
http://1337day.com/exploits/20469
http://www.exploit-db.com/exploits/24563/
http://www.osvdb.org/show/osvdb/90822
http://cxsecurity.com/issue/WLB-2013030027
http://www.scip.ch/?vuldb.7851
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10004
http://www.eeye.com/resources/security-center/research/zero-day-tracker/2013/20130210
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2271
http://www.security-database.com/detail.php?alert=CVE-2013-2271
Japan CERT (Computer Emergency Response Team)

PlumeCMS <= 1.2.4 Multiple Persistent XSS

PlumeCMS 1.2.4 (and below) is prone to multiple peristent XSS vulnerability due to an improper input sanitization of multiple parameters.

  • “u_email” and “u_realname” parameters are not correctly sanitized before being passed to server side script “manager/users.php” via http POST method. An attacker – who is able to change his profile settings – could insert malicious code into “Email” and/or “Name” fields- within “Authors” template – in order to create a persistent XSS vulnerability for all user/admin who access to Plume’s management interface.
  • An unauthenticated user could insert html/javascript code in “Author” field within “ADD A COMMENT” section – which is present in every web page – due to an incorrect sanitization of “c_author” parameter. This will produce a Persistent XSS vulnerability for all user/admin who will click on “Comments” tab within Plume’s administration interface.

To view my Original Advisory:
PlumeCMS 1.2.4 Multiple Permanent XSS

MITRE CVE Numbering Authority assigned me CVE-2012-2156 for this vulnerability

Other Advisory’s publications:
http://www.securityfocus.com/bid/52890
http://secunia.com/advisories/40133
http://xforce.iss.net/xforce/xfdb/74614
http://osvdb.org/show/osvdb/80960
http://osvdb.org/show/osvdb/80961
http://packetstormsecurity.org/files/111596/PlumeCMS-1.2.4-Cross-Site-Scripting.html
http://www.exploit-db.com/exploits/18699/
http://1337day.com/exploits/17963
http://www.thecybernuxbie.com/exploit-report/plumecms-1-2-4-multiple-persistent-xss.aspx
http://www.x-bug.com/exploits/221