Multiple
D-Link routers have vulnerabilities in their Common Gateway Interface (CGI) that
if exploited could result in remote code execution.

The Carnegie Mellon University Software Engineering Institute’s CERT/CC reported the CGI codes have two flaws: The /apply_sec.cgi code is exposed to unauthenticated users and the ping_ipaddr argument of the ping_test action fails to properly handle newline characters.

The result is that any arguments after a newline character sent as ping_ipaddr in a POST to /apply_sec.cgi are executed on the device with root privileges.

“By
performing an HTTP POST request to a vulnerable router’s /apply_sec.cgi page, a
remote, unauthenticated attacker may be able to execute commands with root
privileges on an affected device. This action can happen as the result of
viewing a specially-crafted web page,” the report said.

The products affected are the DIR-655, DIR-866L, DIR-652, DHP-1565, DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835 and DIR-825.

There is
currently no patch, update or workaround available for these problems.
Additionally, D-Link no longer supports the affected routers.