Vendor: D-Link Affected Products: -DIR-505L SharePort Mobile Companion (HW: A1 / FW: 1.01) -DIR-826L Wireless N600 Cloud Router (HW: A1 / FW: 1.02) Vendor Notification: April 8, 2013 Public Disclosure: July 8, 2013 Vulnerability Type: Authentication Bypass CVE Reference: CVE-2013-4772 Solution Status: Not Fixed Credit: Jason Doyle / tw: jasond0yle
Advisory Details: It is possible to bypass authentication to gain administrator level access to the web management console by navigating directly to any web page while a legitimate session is still active. This is not possible once a legitimate session has expired. During this window of opportunity, at attacker has unfettered access to view and change all configurable settings on the device, including the addition / modification of user accounts for persistent access.
