Discovered by: Jingwei Feng
Contact Information: [email protected]
Affected Versions:
D-Link DIR-615 (Hardware Revision D) firmware v4.10 and potentially earlier versions.
Component:
Embedded httpd web server and URL Blocking scripts (set_temp_nodes.php, adv_url_filter.php, flush_blocking.php)
A stored command injection vulnerability exists in the URL Filtering configuration logic of the D-Link DIR-615 (Rev D) firmware.
The firmware fails to properly sanitize user input in the "URL" field when creating a new URL blocking rule. By injecting shell metacharacters into this field, an authenticated attacker can execute arbitrary system commands with root privileges.
The malicious command is first stored in a temporary session node, then committed to the device's configuration (NVRAM/RGDB), and finally executed when the firewall rules are regenerated.
This vulnerability requires administrator authentication. The attacker must have valid credentials to log in to the web interface to reach the URL filtering configuration pages.
The injection process involves two steps:
Staging: The payload is sent via set_temp_nodes.php (typically used by the frontend JS to stage large configuration arrays).
POST /set_temp_nodes.php
TEMP_NODES=/runtime/post/session_...&data=3&start=1...&d_1_1=[PAYLOAD]...
The staged data is saved to the persistent configuration via adv_url_filter.php.
Trigger Point
The injected command is executed when the system is triggered to re-apply the blocking rules, which can be done via: