[Oct 08, 2018]
D-Link addresses several remote code execution and XSS vulnerabilities affecting the Central WiFiManager access point management tool.
D-Link Central WiFiManager software controller helps network administrators streamline their wireless access point (AP) management workflow. It leverages a centralized server to remotely allow the management and the monitoring of wireless APs on a network.
The software can be deployed both locally and in the cloud.
The flaw are related to,
– The presence of default credentials (admin/admin) in the FTP server running on port 9000 of the web app.
– Authenticated Remote Code Execution by Unrestricted Upload of File with Dangerous Type.
– Two stored XSS flaws in the “UpdateSite” and “addUser” functionality, specifically the sitename and usernameparameters, respectively.
Cyber Security Tips :
- D-link company addressed these vulnerabilities with the version 1.03R0100-Beta1. IT Persons are highly recommended to upgrade theirs system.