When the TP-Link suffers from XSS on the site and your powerline does not work

Questo articolo รจ stato scritto oltre 1 years, il contenuto potrebbe essere datato.

This time, change the topic and I’ll talk about a nice bug found on the international website of TP-LINK but do a nice premise.

I bought the TL-WPA2200kit (two powerline) and a third TL-WPA2200 at the fair in Pordenone (I also took new parts for my pc but I will talk about in another article when I have completed the system) to bring internet in different rooms of the house.

I bought an Nvidia card and as I could not run the third monitor with cables available to me I wrote to assistance. They responded immediately and I realized that I needed cable (DVI-D Dual Link Male / Female no adapters for HDMI or VGA in my possession).

Lived this experience, I try to find a solution to my problem of synchronization of these devices on the internet without success (too much useless stuff) I write TP-LINK to assistance.

The Italian page to contact them directly is: http://www.tp-link.it/support/contact/

I fill out the fields and hit enter.

I find myself with a screen that says OK in a Javascript alert.

I look at the url and I notice that changing the value of the parameter you can change the text of Alert!

In addition, the problem also happens on the international website!

Here is the link where you can try out with any browser: http://www.tp-link.com/it/support/contact/?categoryid=529&msg=Ciao%20gente

Here’s the screenshot of the vulnerabilities!

I did some tests and it seems that there should be an escape of ‘so you can not inject javascript code into the page.


As we can see the code that uses Javascript ago level sucks, check the parameter if it is empty otherwise executes the alert even if the form has not been sent.

I wonder if the site has other vulnerabilities.

Now I ask me now that I’ve written about this issue in the international website I will respond to my request for assistance?

We’ll see him in the next episode!

If you make funny screenshots you put the links in the comments ๐Ÿ˜€


An anonymous sends me these analyzes, some will be false positives but I think the site is not very reliable.

Liked it? Take a second to support Mte90 on Patreon!
Become a patron at Patreon!

Leave a Reply

Your email address will not be published. Required fields are marked *