Researcher finds stored XSS flaw in several D-Link NAS devices
D-Link was informed and released updates for some, but not all, of the products in question.
Seven D-Link network attached storage (NAS) devices are vulnerable to an XSS defect that can be exploited without the user downloading malware or clicking on a malicious link.
Benjamin Daniel Mussler wrote in his InfoSec Blog that he first noted the issue in the D-Link DNS-320 NAS using firmware version 2.05b8 and has since discovered six other products with the same problem. All are vulnerable to a stored XSS flaw with an injection point being the username of an unsuccessful login attempt. If exploited an attacker can gain full read and write access to the device.
“This is one of the relatively few XSS vulnerabilities where malicious code can be injected despite having neither direct nor indirect access to the vulnerable web application," Mussler wrote. "As such, it can be exploited even when access to ports 80/tcp (HTTP) and 443/tcp (HTTPS) is denied.”
D-Link link told SCMagazine.com in an email that XSS fixes are available for the impacted models.
D-Link has not responded to SCMagazine.com's request for further information.