#############################################################
#
# SWISSCOM CSIRT ADVISORY - http://www.swisscom.com/security
#
#############################################################
#
# CVE ID:   CVE-2015-1187
# Product:  D-Link DIR636L 
# Vendor:   D-Link
# Subject:  Remote Command Injection - Preauth
# Effect:   Remotely exploitable
# Author:   Tiago Caetano Henriques (Tiago.CaetanoHenriques _AT_ swisscom.com)
# Date:     March 2nd 2015
#
#############################################################


Introduction:
-------------
Swisscom CSIRT discovered a security flaw in the management interface
of the Alcatel Lucent 1830 Photonic Service Switch series.


Vulnerable:
-----------
All Switches of Release 6.0 or lower are vulnerable.


Patches:
--------
None.


Description:
------------
The management interface of the 1830 Photonic Switch series is vulnerable
to reflected cross-site scripting, since user input is not properly encoded
on output. Exploiting this vulnerability will lead to so-called cross-site
scripting (XSS) and allows the impersonation of logged-in admin users.
Additionally, the myurl-Parameter accepts non-local web addresses, which
can be abused to redirect victims to arbitrary web sites.


Attack vector:
--------------
https://xx.xx.xx.xx/menu/pop.html?myurl=);<script>alert('xss')</script>


Milestones:
-----------
Dec 18th 2014   Vulnerability discovered
Jan 18th 2015   CVE ID 2015-1187 assigned by MITRE
Feb  2th 2015   Vendor contact established and provided with technical details
Feb 16th 2015   Vendor acknowledged issue and communicates time line for patches
Feb 26th 2015   Public Full Disclosure by Peter Adkins
Mar  2nd 2015   Forced Released of this Advisory due to the previous Full Disclosure