TIP: Click on subject to list as thread! ANSI
echo: os2hardware-l
to: All
from: Kenn Yuill
date: 2006-05-30 10:26:02
subject: [OS2HW] OT: Cross-Site Scripting in D-Link DSA-3100 Router
Here is an advisory from Security Tracker, courtesy of Panda Software,=20
which may be interesting to users of this router.

         - Cross-Site Scripting in D-Link DSA-3100 Router -=20
   Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)=20

Madrid, May 30, 2006 - A vulnerability has been reported in the D-Link
DSA-3100 router that could allow a remote user to construct cross-site
scripting attacks.

The problem stems from the fact that the 'login_error.shtml' script
doesn't properly filter HTML code from user-supplied input in the
'uname' parameter before displaying the input. A remote user could
create a specially crafted URL which, when loaded by a target user,
could cause arbitrary scripting code to be run.

The code originates from the D-Link Router interface and runs in the
security context of the device. As a result, the code will be able to
access the target user's cookies (including authentication cookies), if
any, associated with the device, access data recently submitted by the
target user via web form to the device, or take actions on the device
acting as the target user.=20

The advisory is available at:
http://www.securitytracker.com/alerts/2006/May/1016173.html.=20



--=20
 Chimo,
            Kenn
 _______________________________________________________________
 Always act as if life is a joyous journey. -- K.A. Yuill
 __________ A Quote for Today __________
  Live out of your imagination, not your history.
      --  Stephen Covey [19?-, U.S. lecturer/author]
 _______________________________________________________________
 * TagZilla 0.059 * http://tagzilla.mozdev.org>




------------------------ Yahoo! Groups Sponsor --------------------~-->=20
Home is just a click away.=A0 Make Yahoo! your home page now.
http://us.click.yahoo.com/DHchtC/3FxNAA/yQLSAA/9rHolB/TM
--------------------------------------------------------------------~->=20

=20
Yahoo! Groups Links

 To visit your group on the web, go to:
    http://groups.yahoo.com/group/os2hardware/

 To unsubscribe from this group, send an email to:
    os2hardware-unsubscribe{at}yahoogroups.com

 Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
=20




---
* Origin: Waldo's Place USA Internet Gateway (1:3634/1000)
SEEN-BY: 633/267 270 5030/786
@PATH: 3634/1000 12 106/2000 633/267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.