D-LINK WBR-1310 CROSS-SITE SCRIPTING (XSS)
==========================================

Device:		D-Link Router
Model:		WBR-1310
Firmware:	4.00
Critical:	Low
Impact:		Change Admin Password
		Take control of router
Advisory:	1-002

(Other versions/models have not been tested)


  BACKGROUND
=======================

The D-Link WBR-1310 router, is susceptible to Cross-Site Scripting attacks (XSS). The ping IP parameter's input/output is not sanitized, therefore allowing execution of remote code on the victims browser.


   DESCRIPTION
=======================

Almost none, if any of the input/output parameters in the routers interface handle any validation on the data being passed to it. Futhermore, no password verification is performed when changing the Admin's password. Using these two weaknesses, it is possible to use JavaScript to change the Admin's password remotely.


    EXPLOIT / POC
=======================

http://192.168.0.1/tools_vct.php?pingIP=<script>alert(0)</script>
http://192.168.0.1/tools_vct.xgi?pingIP=<script>alert(0)</script>


  WORKAROUND
=======================

Don't browse untrusted websites while logged into your router.


   DISCLOSURE TIMELINE
=======================

2009/09/05 - Vulnerability discovered
2009/09/08 - Vendor contacted
2009/11/15 - Vulnerability disclosed


    REFERENCES
=======================

WebVuln - http://www.webvuln.com