Unrestricted upload of file with dangerous type in D-Link Central WiFi Manager - CVE-2018-17442
Published: October 8, 2018 / Updated: June 17, 2021
Vulnerability identifier: #VU15171
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2018-17442
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: D-Link
Affected software:
D-Link Central WiFi Manager
D-Link Central WiFi Manager
Detailed vulnerability description
The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.
The weakness exists due to unrestricted file upload of file with dangerous type when the .rar is uploaded is stored in the path '\web\captivalportal' in a folder with a timestamp created by the PHP time() function. A remote attacker can upload RAR archives, abuse the functionality to upload archives that include a PHP file and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to unrestricted file upload of file with dangerous type when the .rar is uploaded is stored in the path '\web\captivalportal' in a folder with a timestamp created by the PHP time() function. A remote attacker can upload RAR archives, abuse the functionality to upload archives that include a PHP file and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
How to mitigate CVE-2018-17442
Update to version 1.03R0100-Beta1.