Home page logo

bugtraq logo Bugtraq mailing list archives

Router DSL Dlink
From: "Linux" <linux () ariu it>
Date: Wed, 23 Oct 2002 23:50:22 +0200

Hi Gurus,

I need your opinion about insecurity into Dlink dsl router.

1 month ago, i've bought a Dlink DSL500 adsl router.
After some trouble with it, regarding telnet access and telnet command,
adevrtised in technical specification into Dlink's site (Italy and USA) but
not provided by Dlink's tech support. I've activeted the Remote
Administration Control, this permit a web access from remote network to
router management protected with user & password, also this control has
activated a telnet access to the router. This isn't a problem if i can
change dafault password used for telnet access whith another one.

I've written to Dlink italian tech support and asked them, how to change
default telnet password.
They said that the password is only for Dlink internal user and it can't be

This is can't be acceptable, the router hasn't security prerequisites. Yes i
can set a filter for telnet port, but I must be able to change telnet

Can Dlink sell a product with this problem?
What can i do?
I think that Dlink must solve this problem providing a new firmware for the
router as soon as possible.
What is your opinion?

Please apologize myself for my english.

Thanks in advance.

----- Original Message -----
From: "qber66" <qber66 () pandora be>
To: <bugtraq () securityfocus com>
Sent: Wednesday, September 11, 2002 8:17 PM
Subject: XSS bug in MyMarket 1.71

| XSS in MyMarket 1.71 |

Product Description
MyMarket is a fully functional online shopping catalog system, built using
PHP and MySQL. It was created by Ying Zhang for the purpose of teaching
people about the basics of creating an E-Commerce site. It can be found at

Vulnerable systems
MyMarket 1.71


(without "*")

put this two lines at the begin of form_header.php

---- form_header.php -----
   $noticemsg = HTMLSpecialChars($noticemsg);
   $errormsg = HTMLSpecialChars($errormsg);

Vendor response
I submitted this a week ago, the vendor didn't response yet.

Tim Vandermeersch
qber66 () pandora be

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]