Summary
D-Link DSR Router Series are prone to an SQL-injection vulnerability.
Impact
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Solution
Updates are available. Please see the references or vendor advisory for more information.
Insight
It was possible to login into the remote D-Link DSR Router using `admin` as username and `' or 'a'='a` as password.
Affected
D-Link DSR-150 (Firmware < v1.08B44)
D-Link DSR-150N (Firmware < v1.05B64)
D-Link DSR-250 and DSR-250N (Firmware < v1.08B44)
D-Link DSR-500 and DSR-500N (Firmware < v1.08B77)
D-Link DSR-1000 and DSR-1000N (Firmware < v1.08B77)
Detection
Try to login into the remote D-Link DSR Router using sql injection attack.
References
Severity
Classification
-
CVE CVE-2013-5945, CVE-2013-5946, CVE-2013-7004, CVE-2013-7005 -
CVSS Base Score: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- Adobe ColdFusion Multiple Vulnerabilities-02 May-2014
- Apache Struts2 Showcase Arbitrary Java Method Execution vulnerability
- AlienVault Open Source SIEM (OSSIM) 'timestamp' Parameter Directory Traversal Vulnerability
- Admin Bot 'news.php' SQL Injection Vulnerability
- appRain CMF SQL Injection And Cross Site Scripting Vulnerabilities