CVE-2019-20215

Name of the Vulnerable Software and Affected Versions D-Link DIR-859 versions 1.05 through 1.06B01 Beta01

Description The issue allows remote attackers to execute arbitrary OS commands via a urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because HTTP ST is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters. This is due to the lack of neutralization of special elements used in the operating system command.

Recommendations For D-Link DIR-859 versions 1.05 through 1.06B01 Beta01, as a temporary workaround, consider disabling the ssdpcgi() function in /htdocs/cgibin until a patch is available. Restrict access to the /htdocs/cgibin directory to minimize the risk of exploitation. Avoid using the urn: service/device in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.