Błażej Adamczyk

**Nome do software vulnerável e versões afetadas** Versões 3.7.0 a 3.7.4 do CTFd **Descrição** Uma falha na implementação da lógica do CTFd permite que um usuário autenticado redefina sua atribuição de equipe e se junte a outra equipe enquanto uma competição está em andamento. Esse problema afeta as versões da 3.7.0 até a 3.7.4. O problema foi corrigido na versão 3.7.5. **Recomendações** Para as versões 3.7.0 a 3.7.4, atualize para a versão 3.7.5 para resolver o problema. Como solução temporária, considere restringir as mudanças de equipe durante competições em andamento até que a atualização para a versão 3.7.5 seja aplicada.

**Nome do software vulnerável e versões afetadas** Versões do CTFd anteriores à 3.7.5 **Descrição** O problema diz respeito aos tokens usados para ativação de conta e redefinição de senha no CTFd, que podem ser utilizados indistintamente para essas operações. Quando utilizados, eles são enviados ao servidor como um parâmetro GET e não são de uso único. Isso significa que, durante o período de validade do token, um invasor no caminho pode reutilizar tal token para alterar a senha de um usuário e assumir o controle da conta. Além disso, os tokens também incluem o e-mail do usuário codificado em base64. **Recomendações** Para versões anteriores à 3.7.5, atualize para a versão 3.7.5 ou posterior para resolver o problema. Como solução temporária, considere restringir o acesso aos recursos de ativação de conta e redefinição de senha até que a atualização seja aplicada. Além disso, os usuários devem ter cautela ao usar esses recursos e monitorar a atividade de suas contas para detectar qualquer comportamento suspeito.

**Name of the Vulnerable Software and Affected Versions** D-Link DWR-116 versions 1.06 and earlier D-Link DIR-140L versions 1.02 and earlier D-Link DIR-640L versions 1.02 and earlier D-Link DWR-512 versions 2.02 and earlier D-Link DWR-712 versions 2.02 and earlier D-Link DWR-912 versions 2.02 and earlier D-Link DWR-921 versions 2.02 and earlier D-Link DWR-111 versions 1.01 and earlier **Description** The issue is related to a directory traversal vulnerability in the web interface of D-Link devices. This vulnerability allows remote attackers to read arbitrary files via a specially crafted HTTP request, such as by including `/..` or `//` after "GET /uir". The vulnerability exists due to insufficient path checking. **Recommendations** For D-Link DWR-116 versions 1.06 and earlier, update to a version later than 1.06. For D-Link DIR-140L versions 1.02 and earlier, update to a version later than 1.02. For D-Link DIR-640L versions 1.02 and earlier, update to a version later than 1.02. For D-Link DWR-512 versions 2.02 and earlier, update to a version later than 2.02. For D-Link DWR-712 versions 2.02 and earlier, update to a version later than 2.02. For D-Link DWR-912 versions 2.02 and earlier, update to a version later than 2.02. For D-Link DWR-921 versions 2.02 and earlier, update to a version later than 2.02. For D-Link DWR-111 versions 1.01 and earlier, update to a version later than 1.01. As a temporary workaround, consider restricting access to the web interface until a patch is available.

**Name of the Vulnerable Software and Affected Versions** D-Link DWR-116 versions 1.06 and earlier D-Link DWR-512 versions 2.02 and earlier D-Link DWR-712 versions 2.02 and earlier D-Link DWR-912 versions 2.02 and earlier D-Link DWR-921 versions 2.02 and earlier D-Link DWR-111 versions 1.01 and earlier **Description** The issue is related to insufficient neutralization of special elements used in an OS command in the web interface of D-Link router firmware. This can be exploited by a remote attacker to execute arbitrary code by injecting a shell command into the `sip` parameter when requesting the "chkisg.htm" page. This allows for full control over the device internals. **Recommendations** For D-Link DWR-116 versions 1.06 and earlier, update to a version later than 1.06 to resolve the issue. For D-Link DWR-512 versions 2.02 and earlier, update to a version later than 2.02 to resolve the issue. For D-Link DWR-712 versions 2.02 and earlier, update to a version later than 2.02 to resolve the issue. For D-Link DWR-912 versions 2.02 and earlier, update to a version later than 2.02 to resolve the issue. For D-Link DWR-921 versions 2.02 and earlier, update to a version later than 2.02 to resolve the issue. For D-Link DWR-111 versions 1.01 and earlier, update to a version later than 1.01 to resolve the issue. As a temporary workaround, consider restricting access to the "chkisg.htm" page to minimize the risk of exploitation. Avoid using the `sip` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** D-Link DWR-116 versions 1.06 and earlier D-Link DIR-140L versions 1.02 and earlier D-Link DIR-640L versions 1.02 and earlier D-Link DWR-512 versions 2.02 and earlier D-Link DWR-712 versions 2.02 and earlier D-Link DWR-912 versions 2.02 and earlier D-Link DWR-921 versions 2.02 and earlier D-Link DWR-111 versions 1.01 and earlier **Description** The issue concerns the storage of administrative passwords in plaintext in the /tmp/csman/0 file. An attacker with directory traversal or Local File Inclusion (LFI) capabilities can easily gain full access to the router. This allows a remote attacker to potentially gain full control over the device. **Recommendations** For D-Link DWR-116 versions 1.06 and earlier, update the firmware to remove the plaintext password storage. For D-Link DIR-140L versions 1.02 and earlier, update the firmware to remove the plaintext password storage. For D-Link DIR-640L versions 1.02 and earlier, update the firmware to remove the plaintext password storage. For D-Link DWR-512 versions 2.02 and earlier, update the firmware to remove the plaintext password storage. For D-Link DWR-712 versions 2.02 and earlier, update the firmware to remove the plaintext password storage. For D-Link DWR-912 versions 2.02 and earlier, update the firmware to remove the plaintext password storage. For D-Link DWR-921 versions 2.02 and earlier, update the firmware to remove the plaintext password storage. For D-Link DWR-111 versions 1.01 and earlier, update the firmware to remove the plaintext password storage. As a temporary workaround, consider restricting access to the /tmp/csman/0 file to minimize the risk of exploitation.