漏洞类别:Web server
漏洞等级: 
漏洞信息
DLink DCS series network camera's have an insecure CrossDomain.XML file which allows sites hosting malicious flash object to access or change device settings.
Affected Versions:
DCS-6212L(H/W:A, F/W prior to v1.00.12)
DCS-7000L(H/W:A, F/W prior to v1.04.00)
DCS-2132L(H/W:A, F/W prior to v1.08.01)
DCS-2136L(H/W:A, F/W prior to v1.04.01)
DCS-2210L(H/W:A, F/W prior to v1.03.01)
DCS-2230L(H/W:A, F/W prior to v1.03.01)
DCS-2310L(H/W:A, F/W prior to v1.08.01)
DCS-2332L(H/W:A, F/W prior to v1.08.01)
DCS-6010L(H/W:A, F/W prior to v1.15.01)
DCS-7010L(H/W:A, F/W prior to v1.08.01)
DCS-2530L(H/W:A, F/W prior to v1.00.210)
DCS-930L(H/W:A,F/W prior to v1.15.04)
DCS-930L(H/W:B,F/W prior to v2.13.15)
DCS-932L(H/W:A,F/W prior to v1.13.04)
DCS-932L(H/W:B,F/W prior to v2.13.15)
DCS-934L(H/W:A, F/W prior to v1.04.15)
DCS-942L(H/W:A,F/W prior to v1.27)
DCS-942L(H/W:B,F/W prior to v2.11.03)
DCS-931L(H/W:A, F/W prior to v1.13.05)
DCS-933L(H/W:A,F/W prior to v1.13.05)
DCS-5009L(H/W:A,F/W prior to v1.07.05)
DCS-5010L(H/W:A,F/W prior to v1.13.05)
DCS-5020L(H/W:A,F/W prior to v1.13.05)
DCS-5000L(H/W:A,F/W prior to v1.02.02)
DCS-5025L(H/W:A,F/W prior to v1.02.10)
DCS-5030L(H/W:A,F/W prior to v1.01.06)
漏洞危害
If a victim logged into the camera's web console visits a malicious site hosting a malicious Flash file from another tab in the same browser, the malicious Flash file then can send requests to the victim's DCS series Camera without knowing the credentials. An attacker can host a malicious Flash file that can retrieve Live Feeds or information from the victim's DCS series Camera, add new admin users, or make other changes to the device.
解决方案
Customers are advised to download latest firmware from My D-Link Portal.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0day
文章评论