D-Link DWL-2100ap Discloses Configuration File to Remote Users
|
|
SecurityTracker Alert ID: 1016234
|
|
SecurityTracker URL: http://securitytracker.com/id?1016234
|
|
CVE Reference: CVE-2006-2901
(Links to External Site)
|
Updated: May 22 2009
|
Original Entry Date: Jun 6 2006
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): D-Link DWL-2100ap; firmware version 2.10na
|
Description: A vulnerability was reported in the D-Link DWL-2100ap wireless router. A remote user can obtain sensitive information from the target device.
A remote user can directly request files in the '/cgi-bin/' directory with a '.cfg' file extension to obtain the device configuration.
A
demonstration exploit URL is provided:
http://[target]/cgi-bin/Intruders.cfg
Wendel Guglielmetti Henrique and the Intruders
Tiger Team Security discovered this vulnerability.
The original advisory is available at:
http://www.intruders.com.br/adv0206en.html
|
Impact: A remote user can obtain the device configuration, including password information.
|
Solution: The vendor has reportedly issued a firmware patch, available at:
http://www.dlink.com.br/internet/downloads/Wireless/DWL-2100AP/DWL2100AP-firmware-v210na-r0343.tfp
|
Vendor URL: www.dlink.com/ (Links to External Site)
|
Cause: Access control error
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 6 Jun 2006 01:41:27 -0400
Subject: ADVISORY/0206 - D-Link Wireless Access-Point (DWL-2100ap)
|
http://www.intruders.com.br/adv0206en.html
|
|
