Summary
D-Link DSR Router Series are prone to an SQL-injection vulnerability.
Impact
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Solution
Updates are available. Please see the references or vendor advisory for more information.
Insight
It was possible to login into the remote D-Link DSR Router using `admin` as username and `' or 'a'='a` as password.
Affected
D-Link DSR-150 (Firmware < v1.08B44)
D-Link DSR-150N (Firmware < v1.05B64)
D-Link DSR-250 and DSR-250N (Firmware < v1.08B44)
D-Link DSR-500 and DSR-500N (Firmware < v1.08B77)
D-Link DSR-1000 and DSR-1000N (Firmware < v1.08B77)
Detection
Try to login into the remote D-Link DSR Router using sql injection attack.
References
Severity
Classification
-
CVE CVE-2013-5945, CVE-2013-5946, CVE-2013-7004, CVE-2013-7005 -
CVSS Base Score: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Related Vulnerabilities