Hello list! There are Brute Force, Abuse of Functionality and Cross-Site Request Forgery vulnerabilities in D-Link DVG-5402SP VoIP Router. ------------------------- Affected products: ------------------------- Vulnerable is the next model: D-Link DVG-5402SP, Firmware RU_1.01. Other versions also must be vulnerable. Since December 2014 the developers didn't answer me concerning vulnerabilities in DVG-5402SP and other D-Link devices, which I informed them about. ---------- Details: ---------- Brute Force (WASC-11): http://site There is no protection from BF attacks in login form. Abuse of Functionality (WASC-42): Fixed logins: "admin" and "user". Which simplifies attacks. Cross-Site Request Forgery (WASC-09): Change admin's password: D-Link DVG-5402SP CSRF-1.html D-Link DVG-5402SP CSRF exploit (C) 2016 MustLive. http://websecurity.com.ua
Cross-Site Request Forgery (WASC-09): After the change, the password must be saved and the device restarted by separate GET request: http://site/ConfigBackupForm.asp I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/7547/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua