ISE SOHO Vulnerability Catalog Published - Independent Security ...
ISE SOHO Vulnerability Catalog Published - Independent Security ...
ISE SOHO Vulnerability Catalog Published - Independent Security ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Vulnerability</strong>: PHP File Inclusion <br />
CVE: CVE-2013-4857<br />
Description<br />
The D-Link DIR865L router is susceptible to a PHP File Inclusion vulnerability that<br />
allows an attacker to included arbitrary XML files containing PHP code for execution.<br />
Attack Requirements<br />
♦ Authentication is required for exploitation.<br />
Details<br />
♦ Other firmware versions were not tested and could be vulnerable.<br />
♦ If an attacker does not have direct access to the affected D-Link DIR-865L router,<br />
CSRF can be used to exploit this vulnerability.<br />
♦ There is a limited version of PHP included with the D-Link DIR-865L router.<br />
Impact<br />
Arbitrary PHP code will be executed by the affected router, which could lead to full<br />
administrative compromise.<br />
Recommendations to the Vendor<br />
♦ Do not use user-supplied data in an include path.<br />
♦ Additional information for vendors regarding immediate and long term fixes for<br />
these issues can be found here: http://www.securityevaluators.com/content/casestudies/routers/#recommendationsVendors<br />
Solution<br />
♦ There currently is not a solution to this problem.<br />
Proof of Concept Exploit<br />
router_info.xml builds the path to another PHP script using string concatenation. <br />
Any PHP code in the included file is run with full root privileges. <br />
♦ http://192.168.0.1/router_info.xml?section=../../tmp/storage//FILE<br />
Disclosure Timeline<br />
♦ 3/2013 - Notified D-Link. No response.<br />
♦ 4/3/2013 - Notified D-Link requesting a follow up.<br />
<br />
64