Skip to content

netsecfish/info_cgi

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits

README.md

README.md

 
 

Untitled 1.png

Untitled 1.png

 
 

Untitled 2.png

Untitled 2.png

 
 

Untitled 3.png

Untitled 3.png

 
 

Untitled 4.png

Untitled 4.png

 
 

Untitled 5.png

Untitled 5.png

 
 

Untitled 6.png

Untitled 6.png

 
 

Untitled 7.png

Untitled 7.png

 
 

Repository files navigation

Exposure of Sensitive Information through Unauthenticated CGI Script Access on D-Link DNS Series

Vulnerability Summary

A vulnerability has been identified in the D-Link DNS series network storage devices, allowing for the exposure of sensitive device information to unauthorized actors. This vulnerability is due to an unauthenticated access flaw in the info.cgi script, which can be exploited via a simple HTTP GET request, affecting over 920,000 devices on the Internet.

Untitled

Affected Models

  • DNS-327L Version=1.00.0409.2013
  • DNS-320L Version=1.02.0329.2013 and Version=1.01.0914.2012
  • DNS-320LW Version=1.01.0914.2012

Exploitation

Launch an HTTP GET request to the target device: http://127.0.0.1/cgi-bin/info.cgi

Reproduction Details

Several cases on the Internet were randomly selected:

http://175.137.133.113

http://114.43.213.53/

http://89.251.47.20:84/

http://93.191.42.136:8080

http://89.251.47.20:84

http://91.114.143.193:888

Actual Result

Untitled

Untitled

Untitled

Untitled

Untitled

Untitled

Fix Recommendation

It is recommended to restrict access to the administrative interfaces of the device to trusted IP addresses only and apply network-level authentication.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

2 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published