Found one (new) vulnerability in D-link DIR-300 router.
It is posted here:
1. HTTP(s) Access to router
2. Ability to make configuration changes
# Access vector
Persistent XSS / Script execution
# Vulnerable platform
D-Link DIR-300 Firmware v1.3
# Steps to reproduce
1. Log in to D-link router.
2. Setup -> LAN Setup -> DHCP Client List
In here, we can add information of DHCP clients (DHCP reservation) - hostname, IP address, and MAC. These 3 fields do not validate input.
Scripts can be submitted as input values and these then get stored as part of configuration.
Once the page is re-loaded / accessed, these values will get populated from the configuration and the JS gets executed.
# HTTP Request:
User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:18.0)
# HTTP Response
The requirements mentioned in this advisory are just the steps for reproducing this test in a lab.
An attacker may instead utilize other known vulnerabilities such as unauthenticated remote code execution or CSRF to submit malicious input that will eventually trigger XSS when a user accesses the router's web interface. Hence, I don't consider this as 'administratively inflicted' like the packetstorm publisher has noted in description.
Also from a VA perspective, XSS is a distinct security flaw than OS command injection or CSRF or broken authentication. Each of these may have different associated severity based on the environment setup & assets, but nevertheless, all impacting issues should be reported.