On November 8, 2018, it was disclosed that D-Link's Central WiFi Manager software (described here), was disclosed to have a Privledged Escalation vulnerabiliy.
D-Link® Central WiF iManager software controller helps network administrators streamline their wireless access point (AP) management workflow. Central WiFi Manager is an innovative approach to the more traditional hardware-based multiple access point management system. It uses a centralized server to both remotely manage and monitor wireless APs on a network. Whether deployed on a local computer or hosted on a public cloud service, Central WiFi Manager can be easily integrated into existing networks in conjunction with supporting D-Link wireless APs, to help eliminate existing bottlenecks for wireless traffic.
3rd Party Report Accreditation:
Author: John Page (aka hyp3rlinx) :: hyp3rlinx <apparitionsec () gmail com>
Affected Products:
This disclosure directly affects the software package and current installations should be update with the new released available to download below. Failure to update may put this software package, the host computer it runs on, and D-Link devices that it manages at risk.
Solution/Patch/Fix:
- Arbitrary SQL query(conn.php).
- Remote command execution(index.action.class.php)
- SQL injection(payaction.class.php)
- Cross site scripting(payaction.class.php)
Security Patches
These updates address the security vulnerabilities in affected D-Link software package. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
To update we reccomend saving your configuration, uninstall the old package, then install the new update. Further assistance can be found via chat or email at http://support.dlink.com