Hello 3APA3A!
I want to warn you about new security vulnerabilities in D-Link DAP 1150 (Wi-Fi Access Point and Router).
These are Abuse of Functionality and Cross-Site Request Forgery vulnerabilities. This is my third advisory from series of advisories about vulnerabilities in D-Link products.
Abuse of Functionality (WASC-42):
The login of administrator is fixed (it's login "admin"), which can't be change, only password. Which makes Brute Force attacks easier.
CSRF (WASC-09):
All functionality in admin panel is vulnerable to CSRF. Here are two examples.
Changing of admin's password:
In section Wi-Fi / Common settings via CSRF it's possible to turn on/off Wi-Fi, and also to change MBSSID and BSSID.
The next request will turn off Wi-Fi:
Vulnerable is the next model: D-Link DAP 1150, Firmware version 1.2.94. This model with other firmware versions also must be vulnerable.
I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/5561/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua