D-Link DWL-2100AP configuration file access
| dlink-config-file-access (26973) |  Medium Risk |
Description:
The D-Link DWL-2100AP AirPlus Xtreme G wireless access point could allow a remote attacker to obtain sensitive information. An attacker could send an HTTP GET request for any file in the /cgi-bin directory using the .cfg file extension to obtain the device configuration information. An attacker could use this information to launch further attacks against the affected device.
Consequences:
Obtain Information
Remedy:
D-Link Brazil customers should upgrade to the latest firmware version, available from the D-Link Brazil Web site. See References.
References:
- D-Link Brazil Web site: / Downloads / Wireless / DWL-2100AP.
- D-Link Web site: Wireless Access Point (802.11g) DWL-2100AP.
- Full-Disclosure Mailing List, Tue Jun 06 2006 - 20:10:18 CDT: Advisory - D-Link Access Point.
- INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORY/0206 06/06/2006: D-Link Wireless Access-Point (DWL-2100ap).
- BID-18299: D-Link DWL-2100AP Information Disclosure Vulnerability
- CVE-2006-2901: The web server for D-Link Wireless Access-Point (DWL-2100ap) firmware 2.10na and earlier allows remote attackers to obtain sensitive system information via a request to an arbitrary .cfg file, which returns configuration information including passwords.
- SA20474: D-Link Products Exposure of Configuration Files
- SECTRACK ID: 1016234: D-Link DWL-2100ap Discloses Configuration File to Remote Users
- VUPEN/ADV-2006-2186: D-Link DWL-2100AP Configuration Files Remote Information Disclosure Vulnerability
Platforms Affected:
- D-Link AirPlus Xtreme G DWL-2100AP
Reported:
Jun 06, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net