[NEWS] D-Link DIR-100 Long URL Filter Evasion

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.

- - - - - - - - -

D-Link DIR-100 Long URL Filter Evasion


<http://www.dlink.de/?go=gNTyP9CgrdFOIC4AStFCF834mptYKO9ZTdvhLPG3yV3oV492gqltbNlwaaFp6DQoHDrpxC5H+40AAdvl> DIR-100 is "a small and cost-effective router and firewall device for small offices and home users". Marc Ruef at scip AG found a way to evade URL filters of the D-Link DIR-100 web proxy that are meant to prevent access to certain web sites.


Vulnerable Systems:
* D-Link DIR-100 firmware versions up to version 1.12

By adding a very long string to the URL it is possible to access web
resources even if their access is has been forbidden by the DIR-100's URL
filtering mechanism.

It is possible to exploit the vulnerability with a common web browser by
using a long URL (approx. 1300 characters). You can expand the length of
the URL by adding a non-used HTTP get request parameter. Example url:

A video illustrating this issue is available at the following URL:

The Attack Tool Kit ( <http://www.computec.ch/projekte/atk/> ATK) is able
to exploit this vulnerability with the following generic ASL code (expand
the long URL request):
open|send GET http://www.scip.ch/?foo=aaa(...)
HTTP/1.0\n\n|sleep|close|pattern_not_exists *This URL is <font
color=red>blocked</font> by administrator !*

With this vulnerability users are able to access forbidden web resources
without being filtered by the integrated web proxy service.

We have informed D-Link on an early stage. Our technical requests were not
answered nor confirmed. Therefore, not official statement, patch or
upgrade is available.

We suggest the use of another device for filtering forbidden web resources

Vendor response:
D-Link has been informed first via the unhandy web form at
<http://www.dlink.com> http://www.dlink.com (no public mail address for
such cases could be found). The first responses claimed that the problem
must be within a wrong configuration setting. Further discussions were

The support was not able to understand the problem. Not even after several
step-by-step guides and examples. They always suggest that you upgrade to
the latest firmware and they could not verify the problem. Therefore, no
official solution, workaround or patch is available.


The information has been provided by <mailto:maru@xxxxxxx> Marc Ruef.
The original article can be found at:


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.