D-Link WBR-1310 Cross-Site Scripting
The D-Link WBR-1310 router reflects unsanitised input in its ping diagnostic page. Because the password-change endpoint does not require the current password, the same XSS payload can silently reset the admin credential and take over the router.
CVSS Score
Severity
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Advisory
| Device | D-Link WBR-1310 |
| Firmware | 4.00 |
| Impact | Change admin password, full router takeover |
| Websec Advisory | WS10-04 |
Background
The D-Link WBR-1310 web administration interface does not validate or sanitize the majority of its input parameters. The ping diagnostic page (pingIP parameter) reflects user input directly into the response.
Description
Reflected XSS in the pingIP parameter lets an attacker run JavaScript in an authenticated admin's browser. Because the password-change endpoint does not require the current password, the same XSS payload can silently reset the admin credential and hand the router to the attacker.
Exploit / Proof of Concept
http://192.168.0.1/tools_vct.php?pingIP=<script>alert(0)</script>
http://192.168.0.1/tools_vct.xgi?pingIP=<script>alert(0)</script>Workaround
Do not browse untrusted sites while logged into the router admin panel. Restrict the management interface to trusted hosts on the LAN.
Remediation
No vendor fix available at disclosure. Avoid exposing the admin panel and restrict LAN access to trusted hosts.