Vulnerability Title: Stored XSS via Unsanitized User Input in D-Link Router PPPoE Configuration (sp_pppoe_user.js)
Discovered by: tzh00203
Contact Information: [email protected]
Affected Version: D-Link DSL6641K version N8.TR069.20131126 and earlier
Component: D-Link Modem Router PPPoE Configuration (sp_pppoe_user.js)
The vulnerability exists in the sp_pppoe_user.js script, where user input from the Username field in the PPPoE configuration form is directly passed to the configuration without proper sanitization or encoding. The function doSubmitPPP builds a configuration string with the Username value directly included, potentially allowing the injection of malicious JavaScript.
The lack of sanitization means that an attacker can inject a malicious payload into the Username field, and once submitted, the payload is stored in the router's configuration. When the configuration is accessed again, the injected JavaScript is executed, leading to Stored Cross-Site Scripting (XSS).
The checkparameter() function in the sp_pppoe_user.js script is responsible for validating user inputs in the PPPoE configuration form. Specifically, it checks the Username field to ensure its length is between 1 and 32 characters. If the value does not meet these conditions, an error message is displayed, and the user is prompted to focus on the input field again.
However, the vulnerability arises because, despite checking the length of the Username field, the script does not sanitize or encode the input for special characters like <, >, ", ', and &. As a result, if an attacker injects a malicious JavaScript payload into the Username field (e.g., <script>alert('XSS')</script>), this input will be passed directly into the router's configuration.
The doSubmitPPP function processes user input from fields like Username, pvcid, and max_time. While some parameters are validated, the Username field is directly included in the configuration URL without sanitization:
str +="set/wan/dsl/inf:" + connSave +"/ppp/user=" +subHtmAsc(f.name.value);// Vulnerable line
This lack of sanitization allows attackers to inject malicious JavaScript into the Username field, leading to Stored XSS when the configuration is displayed, potentially causing session hijacking or unauthorized actions.
In the backend, after the updated configuration is passed from the frontend, the Name field is not properly sanitized before being stored. The function mn_config_wan_dsl_ppp() handles configuration updates, and the following code demonstrates how the backend processes and stores the configuration:
