Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

D-Link DIR-140L / DIR-640L Credential Disclosure

Related Vulnerabilities: CVE-2018-18009  
Publish Date: 22 Dec 2018
Author: Tyler Cui
Source 
                							

                [Vendor]
us.dlink.com


[Product]
DIR-140L (version 1.02)
DIR-640L (version 1.01RU)
Other versions might also be affected.


[Vulnerability Type]
admin credentials disclosure


[Affected Component]
Web Interface


[CVE Reference]
CVE-2018-18009


[Security Issue]
An unauthenticated user can visit the file dirary0.js, for example, http://victime_ip/dirary0.js, and obtain clear text password of user admin at the line:

gosave_ok = ("__password__".length < 6)?true:false

[Network Access]
Remote via Web Interface


[Authentication]
Not required


[Disclosure Timeline]
2018-06-17: Vendor Notification
2018-06-19: Vendor acknowledgement
2018-10-23: Request update
2018-10-26: Vendor: "I don't have an update currently, but fixes are under development."
2018-12-07: Inform vendor of disclosure
2018-12-17: Public Disclosure



<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started