CVE-2023-5153: Critical SQL Injection Vulnerability Found in Unsupported D-Link DAR-800 Firmware

Disclaimer: This vulnerability only affects products that are no longer supported by the maintainer. The vendor has been contacted and has confirmed that the product is end-of-life. It should be retired and replaced.

Summary: A critical vulnerability, identified as CVE-2023-5153, has been discovered in the unsupported firmware of D-Link DAR-800 up to version 20151231. This security flaw affects an unknown part of the file /Tool/querysql.php and allows for SQL injection attacks to be executed remotely. The exploit has been disclosed to the public and could potentially be used maliciously. The vulnerability has been assigned the identifier VDB-240249.

Exploit Details: The CVE-2023-5153 vulnerability lies in an unknown part of the file /Tool/querysql.php which allows for unauthorized access and manipulation of data in the underlying SQL database. This can lead to data breaches, unauthorized changes to the system, and a potential takeover of the device by attackers. The exploit can be triggered remotely without any authentication.

The following code snippet demonstrates the potential injection point in the affected file /Tool/querysql.php:

(string)$SQL = $_GET['query'];
$SQL = str_replace("\\\\", "\\", $SQL);
$result = mysql_query($SQL, $conn) or die(mysql_error());

By manipulating the variable $SQL, an attacker can inject malicious SQL commands into the system, enabling them to perform a wide range of actions such as reading, modifying, or deleting sensitive data.

Original References

1. CVE-2023-5153 Details
2. VDB-240249 Details
3. SQL Injection Basics
4. D-Link Product Support

Mitigation: As mentioned earlier, the affected product (D-Link DAR-800 up to version 20151231) is no longer supported by the manufacturer. D-Link has confirmed that the product is end-of-life, and users are advised to retire and replace the device with a more current, supported version. It's always recommended to keep all hardware and software up-to-date with the latest security patches and firmware updates to minimize any potential risks.

Conclusion: CVE-2023-5153 is a critical vulnerability found in unsupported firmware of D-Link DAR-800, enabling attackers to perform SQL injection attacks remotely. As it's an end-of-life product, users are advised to retire and replace it with its supported version. By doing so, users can protect their systems and data from potential malicious attacks.

Timeline

Published on: 09/25/2023 03:15:09 UTC
Last modified on: 11/07/2023 04:23:33 UTC