The D-Link DIR-130 and DIR-330 are vulnerable to authentication bypass of the remote login page, and do not sufficiently protect administrator credentials.
The D-Link DIR-130, firmware version 1.23, and DIR-330, firmware version 1.12, are vulnerable to the following:
CWE-294: Authentication Bypass by Capture-replay - CVE-2017-3191
A remote attacker may be able to obtain administrator credentials and access administrator functionality of the device.
The CERT/CC is currently unaware of a practical solution to this problem.
D-Link Systems, Inc.
Thanks to James Edge for reporting this vulnerability.
This document was written by Garret Wassermann.