A security researcher has reported a number of reflected and stored XSS flaws in D-Link’s 2760N routers (DSL-2760U-BN) through full disclosure mailing list.
Liad Mizrachi, the researcher who revealed the flaws, claimed that he contacted D-Link five times starting August 17 till October 10, but failed to get any response. Because of the lack of response or acknowledgement from the vendor, Mizrachi took it to full disclosure to reveal a total of 15 XSS flaws present in various section of 2760N’s user interface.
Some of the sections of the router where the XSS flaws are present include Dynamic DNS, Parental Control, URL Filtering, NAT – Port Triggering, IP Filtering, SNMP, Incoming IP Filter, Policy Routing Add, Policy Routing – Removal Error, Printer Server, SAMBA Configuration and Wi-Fi SSID.
Just about a month back researcher warned of existence of a hard-coded backdoor in D-Link routers, which could allow administrative access to the router simply by changing the browser’s user agent string. A day after this disclosure, D-Link promised an update that would close off the backdoor.