CVE-2015-1028

Vulnerability

Multiple stored cross-site scripting (XSS) vulnerabilities exist in the D-Link DSL-2730B router (rev C1) running firmware GE_1.01. The vulnerable parameters are: (1) domainname in dnsProxy.cmd (DNS Proxy Configuration Panel); (2) brName in lancfg2get.cgi (Lan Configuration Panel); (3) wlAuthMode, (4) wl_wsc_reg, and (5) wl_wsc_mode in wlsecrefresh.wl (Wireless Security Panel); and (6) wlWpaPsk in wlsecurity.wl (Wireless Password Viewer) [1]. These parameters are not properly sanitized before being stored and later rendered in the administrative web interface [1].

Exploitation

An attacker must first authenticate as an administrator to the router's web interface [1]. By crafting a malicious payload (e.g., JavaScript) in any of the listed parameters and submitting the corresponding form, the payload is stored on the device. When the administrator—or any other user with access to the vulnerable panel—views the affected page, the stored script executes in the context of the victim's browser session [1]. The attacker needs network access to the router's management interface and valid administrative credentials [1].

Impact

Successful exploitation allows an authenticated attacker to inject arbitrary web script or HTML that will be executed in the browser of any user who accesses the vulnerable panel [1]. This can lead to session hijacking, defacement, credential theft, or other actions within the administrative interface. The stored XSS persists across sessions, affecting the router's administrator and potentially other internal network users if they visit the compromised panels [1].

Mitigation

As of the publication date (2015-01-21), no firmware update or patch from D-Link was available to address these vulnerabilities [1]. Mitigation requires restricting administrative web interface access to trusted networks only, disabling remote management if not needed, and carefully reviewing all submitted parameters for malicious input until a patched firmware version is released [1].