Secenv

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-859 versions 1.05 through 1.06B01 Beta01 **Description** The issue allows remote attackers to execute arbitrary OS commands via a `urn:` to the M-SEARCH method in `ssdpcgi()` in `/htdocs/cgibin`, because `HTTP ST` is mishandled. The value of the `urn:` service/device is checked with the `strstr` function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters. This is due to the lack of neutralization of special elements used in the operating system command. **Recommendations** For D-Link DIR-859 versions 1.05 through 1.06B01 Beta01, as a temporary workaround, consider disabling the `ssdpcgi()` function in `/htdocs/cgibin` until a patch is available. Restrict access to the `/htdocs/cgibin` directory to minimize the risk of exploitation. Avoid using the `urn:` service/device in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-859 versions 1.05 through 1.06B01 Beta01 **Description** The issue exists due to the mishandling of the REMOTE PORT component in the D-Link DIR-859 router's firmware, allowing an attacker to execute arbitrary OS commands. This can be achieved by sending a request to the `/htdocs/cgibin` endpoint using the M-SEARCH method with a specially crafted `urn:` value. The `strstr` function is used to check the value of `urn: service/device`, which enables an attacker to concatenate arbitrary commands separated by shell metacharacters. **Recommendations** For D-Link DIR-859 versions 1.05 through 1.06B01 Beta01, consider disabling the `ssdpcgi()` function in `/htdocs/cgibin` as a temporary workaround until a patch is available. Restrict access to the `/htdocs/cgibin` endpoint to minimize the risk of exploitation. Avoid using the `urn:` service/device value in the M-SEARCH method until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-859 versions 1.05 through 1.06B01 Beta01 **Description** The issue exists due to the mishandling of the `SERVER ID` component in the D-Link DIR-859 router's firmware, allowing a remote attacker to execute arbitrary OS commands. This is achieved by exploiting the `urn:` service/device value checked with the `strstr` function, which enables an attacker to concatenate arbitrary commands separated by shell metacharacters. The exploitation occurs via the M-SEARCH method in `ssdpcgi()` in `/htdocs/cgibin`. **Recommendations** For D-Link DIR-859 versions 1.05 through 1.06B01 Beta01, as a temporary workaround, consider disabling the `ssdpcgi()` function in `/htdocs/cgibin` until a patch is available. Restrict access to the `/htdocs/cgibin` directory to minimize the risk of exploitation. Avoid using the `urn:` service/device value in the M-SEARCH method until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-859 versions prior to 1.07b03 beta **Description** The issue allows for unauthenticated information disclosure. This can be achieved by using the `AUTHORIZED GROUP=1%0a` value, as demonstrated in the `vpnconfig.php` file. **Recommendations** For versions prior to 1.07b03 beta, update to version 1.07b03 beta or later to resolve the issue. As a temporary workaround, consider restricting access to the `vpnconfig.php` file to minimize the risk of exploitation.