Several D-Link routers contain CGI capability that is exposed to users as/apply_sec.cgi,and dispatched on the device by the binary/www/cgi/ssi. This CGI code contains two flaws: The/apply_sec.cgi code is exposed to unauthenticated users. The ping_ipaddr argument of the ping_test action fails to properly handle newline characters. Any arguments after a newline character sent as ping_ipaddr in a POST to/apply_sec.cgi are executed on the device with root privileges. The following devices are reported to be vulnerable: DIR-655 DIR-866L DIR-652 DHP-1565 DIR-855L DAP-1533 DIR-862L DIR-615 DIR-835 DIR-825
↧