Hello list! I want to warn you about security vulnerabilities in D-Link DAP 1150 (WiFi Access Point and Router). These are Predictable Resource Location, Brute Force and Cross-Site Request Forgery vulnerabilities. This is my second advisory from series of advisories about vulnerabilities in D-Link products. SecurityVulns ID: 12076. ------------------------- Affected products: ------------------------- Vulnerable is the next model: D-Link DAP 1150, Firmware version 1.2.94. This model with other firmware versions also must be vulnerable. ---------- Details: ---------- Predictable Resource Location (WASC-34): http://192.168.0.50 The control panel of device is placed at default path with default login and password (admin:admin). Which allows for local users (which have access to PC or via LAN) and also for remote users via Internet (via CSRF) to get access to control panel and change router's settings. Default above-mentioned settings - it's standard practice of developers of ADSL routers and other network devices, but D-Link became changing this situation in their new devices. For protecting against problems with default password, D-Link made the next in admin panel: at the first enter to admin panel it's obligatory needed to change a password. I.e. before changing settings it's needed to change default password. And all developers of network devices should use such approach. But Windows-application for configuration of the device, which is bundled on CD, doesn't change a password, only change other settings of access point. Thus it's possible to configure the device with leaving of default password, which will leave the device vulnerable to attacks. Brute Force (WASC-11): In login form http://192.168.0.50 there is no protection against Brute Force attacks. Which allows to pick up password (if it was changed from default), particularly at local attack. E.g. via LAN malicious users or virus at some computer can conduct attack for picking up the password, if it was changed. CSRF (WASC-09): Lack of protection against Brute Force (such as captcha) also leads to possibility of conducting of CSRF attacks, which I wrote about in the article Attacks on unprotected login forms (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html). It allows to conduct remote login. Which will be in handy at conducting of attacks on different CSRF vulnerabilities in control panel, which I'll tell you about later. ------------ Timeline: ------------ 2011.11.17 - found vulnerabilities. 2011.12.09 - disclosed at my site. 2011.12.11 - informed developers. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/5558/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua