Dlink DI614+, DI704P and DI624 Xtreme G routers contain a flaw that allows a remote cross site scripting attack. This flaw exists because the firmware does not validate the supplied DHCP hostnames upon writing to the router's log. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the router, leading to a loss of integrity or availability.
Classification
Location:
Remote/Network Access Required
Attack Type:
Input Manipulation
Impact:
Loss of Integrity
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
OSVDB:
Web Related
Solution
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Disable DHCP or do not view the router's log file.
sympatico.ca -