D-Link DSL6641K version N8.TR069.20131126 XSS via 'ad_virtual_server_vdsl' Configuration

Vulnerability Title: Stored XSS via Unsanitized User Input in D-Link Router Configuration Page (ad_virtual_server_vdsl)

Discovered by: tzh00203

Contact Information: [email protected]

Affected Version: D-Link DSL6641K version N8.TR069.20131126 and earlier

Component: D-Link Modem Router Configuration Page (ad_virtual_server_vdsl)

Vulnerability Details:

The vulnerability exists in the configuration page of the D-Link DSL6641K router, where user input from several fields is passed to the backend without proper sanitization or validation. The frontend checks parameters like inIP, insPort, inePort, exsPort, and exePort to ensure they are valid IP addresses or port numbers. However, the Name field is not sanitized or validated before being stored.

In the backend, after the updated configuration is passed from the frontend, the Name field is directly included in the configuration string without any validation or encoding, leading to Stored Cross-Site Scripting (XSS). An attacker can inject a malicious JavaScript payload into the Name field, and when the configuration is applied, the payload is stored and executed when the configuration page is later viewed.

Vulnerable Code:

The vulnerability occurs when the following inputs are processed and stored without proper sanitization:

function uiDoValidate() {
	var f = get_obj("frm");
	// User input validation logic (inIP, insPort, inePort, exsPort, exePort)
	// Inputs are checked but not sanitized for XSS
	...
	return true;
}

function uiDoSave() {
	var f = get_obj("frm");
	var url = "";
	// User input is used to construct the URL for saving configuration
	url = doURL(isEdit);
	// Configuration is saved without proper validation or sanitization
	...
	location.href = url;  // Redirects to apply the changes and store unsanitized input
}

In this code, user inputs such as f.name.value are directly passed and stored in the router’s configuration. These inputs are not sanitized for XSS, allowing attackers to inject malicious JavaScript code into the configuration.

In the backend, the Name field is stored directly without sanitization:

Steps to Reproduce:

Access the D-Link Router Web Interface

Log in to the D-Link router's web interface with administrative privileges.
Navigate to the ad_virtual_server_vdsl Configuration Page

Go to the configuration page where the vulnerable input fields (e.g., Name，inIP, insPort, inePort, exsPort, exePort) are located.