CVE-2022-37123 D-link DIR-816 A2_v1.10CNB04.img is vulnerable to Command injection via /goform/form2userconfig.cgi

An attacker can inject arbitrary commands into the application by injecting the command into the URL. For example, the following command can be injected into the application process to execute a SQL injection:

/goform/form1 SQL -e 'select 1; -- Command Injection via Nested Form

nestedform1.php?cmd=1 -- Command Injection via HTML form.

/goform/form2userconfig.cgi?cmd=1 -- Command Injection via HTML form.

In addition to Command injection, there are several other security vulnerabilities in this model. We will discuss them in details below.

D-link DIR-836 A2_v1.10CNB04.img is vulnerable to Stored XSS due to lack of sanitization of user input.

An attacker can inject malicious code into the application in the form of a Stored XSS, then if the user visits any malicious page, the malicious code will be executed in the victim's browser.

/goform/login.cgi?redirect_url=http://target/xss.cgi?user=script>alert(1) /script> -- Stored XSS

D-link DIR-836 A2_v1.10CNB04.img is vulnerable to Reflected XSS due to lack of sanitization of user input.

An attacker can inject malicious

Reflected XSS

An attacker can inject malicious code into the application in the form of a Reflected XSS, then if the user visits any malicious page, the malicious code will be executed in the victim's browser.

/goform/login.cgi?redirect_url=http://target/xss.cgi?user=%2fscript>alert(1) /script> -- Reflected XSS

Stored XSS

An attacker can inject malicious code into the application in the form of a Stored XSS, then if the user visits any malicious page, the malicious code will be executed in the victim's browser.

Stored XSS (CVE-2016-2842)

An attacker can inject malicious code into the application in the form of a Stored XSS, then if the user visits any malicious page, the malicious code will be executed in the victim's browser. For example:

/goform/login.cgi?redirect_url=http://target/xss.cgi?user=script>alert(1) /script> -- Stored XSS

D-link DIR-836 A2_v1.10CNB04.img is vulnerable to Reflected XSS due to lack of sanitization of user input. For example:

/goform/login.cgi?redirect_url=http://target/xss.cgi?user=script>alert(1) /script> -- Reflected XSS

Timeline

Published on: 08/31/2022 23:15:00 UTC
Last modified on: 09/02/2022 23:26:00 UTC

References

• https://www.dlink.com/en/security-bulletin/
• https://github.com/z1r00/IOT_Vul/blob/main/dlink/Dir816/form2userconfig_cgi/readme.md
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-37123