Craig Heffner

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-645 Wired/Wireless Router Rev. Ax versions prior to 1.04b12 **Description** The HNAP (Home Network Administration Protocol) interface fails to properly neutralize special characters used in OS commands. This allows remote attackers to execute arbitrary commands via a 'GetDeviceSettings' action. In real-world incidents, the Goldoon botnet has exploited this issue to gain full control over devices, extract data, and establish communication with Command and Control (C&C) servers to launch DDoS attacks across 27 different vectors using DNS, HTTP, ICMP, TCP, and UDP protocols. **Recommendations** Update the firmware to a version later than 1.04b12. As a temporary workaround, restrict access to the HNAP interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-100 D-Link DIR-120 D-Link DI-624S D-Link DI-524UP D-Link DI-604S D-Link DI-604UP D-Link DI-604+ D-Link TM-G5240 Planex BRL-04R Planex BRL-04UR Planex BRL-04CW Alpha Networks routers (affected versions not specified) **Description** The issue allows remote attackers to bypass authentication and modify settings on the affected routers. This is achieved by using a specific `User-Agent` HTTP header, namely `xmlset roodkcableoj28840ybtide`. There have been real-world incidents where this issue was exploited, specifically in October 2013. **Recommendations** For D-Link DIR-100, update the firmware to remove the vulnerable `User-Agent` header handling. For D-Link DIR-120, restrict access to the web interface until a patch is available. For D-Link DI-624S, avoid using the web interface for critical operations until the issue is resolved. For D-Link DI-524UP, consider disabling remote access to the web interface as a temporary workaround. For D-Link DI-604S, update the router's configuration to limit access to the web interface. For D-Link DI-604UP, change the default settings to prevent unauthorized access. For D-Link DI-604+, apply the latest security patch to fix the authentication bypass issue. For D-Link TM-G5240, modify the `User-Agent` header handling to prevent exploitation. For Planex BRL-04R, restrict the use of the vulnerable `User-Agent` header. For Planex BRL-04UR, update the router's software to remove the vulnerable code. For Planex BRL-04CW, disable the web interface until a fix is available. For Alpha Networks routers, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ANGEL Learning Management Suite (LMS) version 7.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter in the "section/default.asp" API endpoint. **Recommendations** For version 7.1, consider restricting access to the `id` parameter in the "section/default.asp" endpoint until a patch is available. As a temporary workaround, avoid using the `id` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** NetProxy version 4.03 **Description** The connection log file implementation does not record requests that omit http:// in a URL, which might allow remote attackers to conduct unauthorized activities and avoid detection. **Recommendations** For NetProxy version 4.03, update the connection log file implementation to record all requests, including those that omit http:// in a URL, to prevent unauthorized activities from going undetected.

**Name of the Vulnerable Software and Affected Versions** Grok Developments NetProxy version 4.03 **Description** The issue allows remote attackers to bypass URL filtering. This can be achieved by sending a request that omits "http://" from the URL and specifies the destination port, such as :80. **Recommendations** For Grok Developments NetProxy version 4.03, consider updating the URL filtering rules to handle requests without the "http://" prefix and those that specify the destination port explicitly. As a temporary workaround, restrict access to sensitive URLs by implementing additional filtering mechanisms that check for the presence of "http://" and the destination port in incoming requests.

**Name of the Vulnerable Software and Affected Versions** DoSePa version 1.0.4 **Description** A directory traversal issue exists, allowing remote attackers to read arbitrary files. This is achieved by using a .. (dot dot) sequence or absolute file path in the `file` parameter. **Recommendations** For version 1.0.4, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the `textview.php` file to minimize the risk of exploitation. Avoid using absolute file paths or .. (dot dot) sequences in the `file` parameter until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** BrewBlogger version 1.3.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter in the printLog.php file. **Recommendations** For BrewBlogger version 1.3.1, consider restricting access to the printLog.php file or validating and sanitizing the `id` parameter to prevent SQL injection attacks. As a temporary workaround, avoid using the `id` parameter in the affected printLog.php file until a patch is available.