| Título | D-Link Corporation DNS-320 ShareCenter NAS (Rev.A) Firmware 2.06B01 HOTFIX CWE-78: OS Command Injection |
|---|
| Descrição | Multiple OS command injection vulnerabilities across 4 CGI binaries in
D-Link DNS-320 firmware 2.06B01:
system_mgr.cgi:
- cgi_set_host (0xaf28): "/bin/hostname %s" via hostname — CONFIRMED
- cgi_set_ntp (0xf53c): "(sntp -r %s) &" via f_ntp_server — CONFIRMED
- cgi_fan_control (0xae0c): "fan_control %s c &" via f_fan_type
- cgi_merge_user (0xbe00): "tail -n %s" via total
account_mgr.cgi:
- cgi_import_users (0xa678): "account_mgr -t '%s'" via app — CONFIRMED
- cgi_batch_add (0xaa84): via f_prefix, f_start, f_number
dsk_mgr.cgi:
- cgi_scan_disk (0xede4): "scandisk -p %s" via f_dev — CONFIRMED
- cgi_raid_rebuild (0xdb40): via f_raidlevel, f_dev
app_mgr.cgi:
- cgi_ftp_stop (0xdcc4): "ftp -z %s" via f_ip — CONFIRMED
- cgi_ftp_start (0xf1e8): via f_ip, f_permanent
- cgi_sqldb (0xf430): via f_dir, f_function
Verification: 5 of 11 functions CONFIRMED by Unicorn Fuzzer. |
|---|
| Fonte | ⚠️ https://github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in-set_add_routing/blob/main/D-Link%20DNS-320%20%20system_mgraccount_mgrdsk_mgrapp_mgr%20Multiple%20CGI%20OS%20Command%20Injection.md |
|---|
| Utilizador | ST4R (UID 96634) |
|---|
| Submissão | 22/04/2026 12h16 (há 1 mês) |
|---|
| Moderação | 10/05/2026 17h54 (18 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 362570 [D-Link DNS-320 2.06B01 /cgi-bin/system_mgr.cgi Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|