Support Announcements
DIR-845L/DIR-860L / DIR-865L / DIR-868L / DIR-880L :: Multiple XSS Vulnerabilities & Command Injection

A 3rd Party reported multiple XSS vulnerabilities in the DIR-845L Rev. Ax (non-US), DIR-860L Rev. Ax, DIR-865L Rev. Ax, and DIR-868L Rev. Ax. in their web configuration scripts. In addition, a command injection vulnerability has been found in the soap.cgi of the DIR-845L Rev. Ax (non-US), DIR-860L Rev. Ax, DIR-865L Rev. Ax, DIR-868L Rev. Ax., and DIR-880L Rev Ax.

 

Firmware has been released and confirmed by the 3rd Party to fix these issues. The DIR-845L Rev. Ax (non-US), DIR-860L Rev. Ax, DIR-865L Rev. Ax, and DIR-868L Rev. Ax does require a two-step firmware to complete the update. The DIR-880L requires only 1 firmware update.

 

Discovered by: Kaixiang Zhang of Qihoo 360 Gear Team

 

Reported: 01/14/18 

Fix Released: 02/27/18 DIR-860L, DIR-865L, DIR-868L

 

Details

 

CVE-2018-6527=====

XSS vulnerability in htdocs/webinc/js/adv_parent_ctrl_map.php in 

D-Link DIR-868L DIR868LA1_FW112b04 and previous versions
D-Link DIR-865L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions
D-Link DIR-860L DIR860LA1_FW110b04 and previous versions 

allows remote attackers to read a cookie via a crafted deviceid parameter to soap.cgi.


CVE-2018-6528=====

XSS vulnerability in htdocs/webinc/body/bsc_sms_send.php in 

D-Link DIR-868L DIR868LA1_FW112b04 and previous versions
D-Link DIR-865L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions
D-Link DIR-860L DIR860LA1_FW110b04 and previous versions 

allows remote attackers to read a cookie via a crafted receiver parameter to soap.cgi.


CVE-2018-6529=====

XSS vulnerability in htdocs/webinc/js/bsc_sms_inbox.php in

D-Link DIR-868L DIR868LA1_FW112b04 and previous versions
D-Link DIR-865L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions
D-Link DIR-860L DIR860LA1_FW110b04 and previous versions

allows remote attackers to read a cookie via a crafted Treturn parameter to soap.cgi.


CVE-2018-6530=====

OS command injection vulnerability in soap.cgi (soapcgi_main incgibin) in 

D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions
D-Link DIR-868L DIR868LA1_FW112b04 and previous versions
D-Link DIR-865L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions
D-Link DIR-860L DIR860LA1_FW110b04 and previous versions

Allows remote attackers to execute arbitrary OS commands via the service parameter.

 

Links to Fixed/Released Firmware

 


 

Model & Revision Link to Firmware Released
DIR-845L Rev. Ax (non-US) Under Development                              Beta Est. End'Oct'18
DIR-860L Rev. Ax Firmware / Release Notes

02/28/18

DIR-865L Rev. Ax Firmware / Release Notes

02/28/18

DIR-868L Rev. Ax Firmware / Release Notes

02/28/18

DiR-880L Rev. Ax Firmware / Release Notes

02/28/18