https://cxsecurity.com/issue/WLB-2007100119
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-245

LinksysBEFSX41是一款宽带路由器，包含基于WEB的管理接口。LinksysBEFSX41在处理用户提交的输入时缺少充分过滤，远程攻击者可以利用这个漏洞对路由器进行拒绝服务攻击。LinksysBEFSX41一般默认地址(http://192.168.1.1)包含一个基于WEB的管理接口，可使用”get”模式进行访问，由于对”Log_Page_Num”参数缺少充分过滤，当超长字符串发送给系统日志查看器”Log_Page_Num”参数时可导致路由器崩溃。

DigitalPranksters Security Advisory
http://www.DigitalPranksters.com

LinkSys EtherFast Router Denial of Service Attack

Risk: Low

Product: Linksys EtherFast Cable/DSL Firewall Router BEFSX41 (Firmware 
1.44.3)

Product URL: http://www.linksys.com/products/product.asp?prid=433

Vendor Contacted: September 9, 2003

Vendor Released Patch: September 26, 2003

DigitalPranksters Public Advisory Released: October 7, 2003

Found By: KrazySnake - krazysnake (at) digitalpranksters (dot) com [email concealed]

Problem:
The Linksys BEFSX41 has web-based administration utility at a predictable 
default address (http://192.168.1.1). The administration is done through a 
series of html forms using the "get" method. The router also has an out of 
the box password of "admin".

Under the default configuration the router is only accessible from the 
local lan and not the internet. However, an attacker could set up a web 
page or send html email to someone inside of the lan to indirectly send 
commands to the router.

An attacker could specify a URL that results in denial of service. The 
denial of service occurs when long string is sent to the System Log 
Viewer's "Log_Page_Num" parameter. The router will be unresponsive after 
the URL is visited when logging is enabled.

Proof of Concept:
If an attacker can get the admin of the router to view a URL like 
http://192.168.1.1/Group.cgi?Log_Page_Num=1111111111&LogClear=0, the 
router will become inoperable. The link could be set as the source of an 
image html tag.

Resolution:
Linksys released an updated firmware to address this issue. This firmware 
update is made available by Linksys from 
http://www.linksys.com/download/firmware.asp?fwid=172.

Greetings:
SkippyInside, AngryB, Harmo, HTMLBCat, and Spyder.
Thanks to Linksys for fixing this issue.

Disclaimer:
Standard disclaimer applies. The opinions expressed in this advisory are 
our own and not of any company. The information within this advisory may 
change without notice. Use of this information constitutes acceptance for 
use in an AS IS condition. There are no warranties with regard to this 
information. In no event shall the author be liable for any damages 
whatsoever arising out of or in connection with the use or spread of this 
information. Any use of this information is at the user's own risk.

来源:XF
名称:linksys-etherfast-logpagenum-dos(13436)
链接:http://xforce.iss.net/xforce/xfdb/13436
来源:BID
名称:8834
链接:http://www.securityfocus.com/bid/8834
来源:BUGTRAQ
名称:20031015LinkSysEtherFastRouterDenialofServiceAttack
链接:http://www.securityfocus.com/archive/1/341309
来源:www.linksys.com
链接:http://www.linksys.com/download/vertxt/befsx41_1453.txt
来源:SREASON
名称:3298
链接:http://securityreason.com/securityalert/3298
来源：NSFOCUS
名称：5555
链接：http://www.nsfocus.net/vulndb/5555