all InfoSec news
Authentication Bypass in D-Link D-View 8
Sept. 19, 2023, 7 p.m. | Evan Grant
Tenable Research Advisories www.tenable.com
A researcher at Tenable discovered an authentication bypass vulnerability in D-Link D-View 8 v2.0.1.28.
D-View 8 uses a static key (D-Link) to protect the JWT token used in user authentication:
// webApi-0.0.1-SNAPSHOT.jar!com.dlink.dview8.webapi.utils.TokenUtils
public static String verifyToken(String token) {
if (Utils.isEmpty(token))
return null;
Algorithm algorithm = Algorithm.HMAC256("D-Link");
JWTVerifier verifier = JWT.require(algorithm).build();
DecodedJWT jwt = verifier.verify(token);
return jwt.getClaim("userId").asString();
}
D-View 8 supports login with an API key, but the supplied API key in the JWT token …
algorithm authentication authentication bypass bypass bypass vulnerability d-link dlink jar jwt jwt token key link protect public researcher return snapshot tenable token vulnerability
More from www.tenable.com / Tenable Research Advisories
Approach.App Multiple Vulnerabilities
1 week, 4 days ago |
www.tenable.com
Path Traversal Affecting Multiple CData Products
3 weeks, 4 days ago |
www.tenable.com
Arcserve Unified Data Protection 9.2 Multiple Vulnerabilities
1 month, 2 weeks ago |
www.tenable.com
Jobs in InfoSec / Cybersecurity
SOC 2 Manager, Audit and Certification
@ Deloitte | US and CA Multiple Locations
Cloud Security Engineer
@ Gainwell Technologies | Any city, OR, US, 99999
Federal Workday Security Lead
@ Accenture Federal Services | Arlington, VA
Workplace Consultant
@ Solvinity | Den Bosch, Noord-Brabant, Nederland
SrMgr-Global Information Security - Security Risk Management
@ Marriott International | Bethesda, MD, United States
Sr. Security Engineer - Data Loss Prevention
@ Verisk | Jersey City, NJ, United States