D-Link Forums
The Graveyard - Products No Longer Supported => Routers / COVR => DIR-868L => Topic started by: FurryNutz on February 28, 2018, 09:23:15 AM
-
Firmware: v1.20 Build 01 Beta 02/28/2018 WW Region!
Revision Info:
¤Problems Resolved:
Reported: 01/14/2018
Discovered by: Kaixiang Zhang of Qihoo 360 Gear Team
CVE-2018-6527 - XSS vulnerability in htdocs/webinc/js/adv_parent_ctrl_map.php allowing remote attackers to read a cookie via a crafted deviceid parameter to soap.cgi.
CVE-2018-6528 - XSS vulnerability in htdocs/webinc/body/bsc_sms_send.php allowing remote attackers to read a cookie via a crafted receiver parameter to soap.cgi
CVE-2018-6529 - XSS vulnerability in htdocs/webinc/js/bsc_sms_inbox.php allowing remote attackers to read a cookie via a crafted Treturn parameter to soap.cgi.
CVE-2018-6530 - OS command injection vulnerability in soap.cgi (soapcgi_main incgibin) allowing remote attackers to execute arbitrary OS commands via the service parameter.
NOTE: Follow the>FW Update Process (http://forums.dlink.com/index.php?topic=42457.0)
Get it here:
DIR-868L (http://support.dlink.com/productinfo.aspx?m=DIR-868L)
-
Hello and thanks for updating the firmware to fix the vulnerability
after doing the firmware update as described, im no longer getting any info on the web interface of my router, and i getting a InitGeneral() ERROR!!!
Any way to fix this issue? im trying to set up again the date and time but nothing is getting saved, so i dont want to reset the router because im not sure if anything is going to get saved and i end with a router that i cant reconfigure.
heres a SS of the issue im having.
Thanks for your help.
(https://trovrg.bn.files.1drv.com/y4mveulR5UbhBlP2GKTRA_tqEAyM6GfGdexr7vKbZ8SvqvaF7nU2iMeCu4Vhz6PSBoczbqbDRw2YHnwYvH2b_gpQV8Re6Jyc5N1AQ93iRtJlNAmRLmMHfc6QGmV37qmcZcnHEP3SLSfeL8B4pUDmmjCoGP3BN7PRBzjcb_-QSq8dkhxVynTMtUaqFQgeKyWXjxyhf_4wg8kUsOXoLb3SHSnbA?)
-
Link>Welcome! (http://forums.dlink.com/index.php?topic=48135.0)
- What region are you located?
What browser are you using?
Try Opera or FF? If IE 8, 9, 10 or 11, set compatibility mode and test again. (For older generation routers.)
Disable any security browser Add-ons like No Script and Ad-Block or configure them to allow All Pages when connected to the router.
Clear all browser caches.
Hello and thanks for updating the firmware to fix the vulnerability
after doing the firmware update as described, im no longer getting any info on the web interface of my router, and i getting a InitGeneral() ERROR!!!
Any way to fix this issue? im trying to set up again the date and time but nothing is getting saved, so i dont want to reset the router because im not sure if anything is going to get saved and i end with a router that i cant reconfigure.
heres a SS of the issue im having.
Thanks for your help.
(https://trovrg.bn.files.1drv.com/y4mveulR5UbhBlP2GKTRA_tqEAyM6GfGdexr7vKbZ8SvqvaF7nU2iMeCu4Vhz6PSBoczbqbDRw2YHnwYvH2b_gpQV8Re6Jyc5N1AQ93iRtJlNAmRLmMHfc6QGmV37qmcZcnHEP3SLSfeL8B4pUDmmjCoGP3BN7PRBzjcb_-QSq8dkhxVynTMtUaqFQgeKyWXjxyhf_4wg8kUsOXoLb3SHSnbA?)
-
Hi, thanks for this updated firmware. Does it include the KRACK fix? Thanks.
-
Doesn't look like it.
I don't see it on the list for a KRACK fix either:
http://forums.dlink.com/index.php?topic=72763.0 (http://forums.dlink.com/index.php?topic=72763.0)
I'll ask about this and see. The 868L is EOL so not sure if it will get anything more.
Hi, thanks for this updated firmware. Does it include the KRACK fix? Thanks.
-
If the product is not on this list, it is (most likely) not affected --> https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10075 (https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10075)
The 868 is not on the list.
-
Thank you.
-
Thanks for the replies.
-
;)
-
Just want to report that I found my 868L not responding in wireless bridge mode with a DISH Joey connected to it and to a non D-Link wireless AP on 5Ghz. I tired power cycling the 868L and connecting to the UI while in bridge mode. I found that using IE and FF and other browsers I could get to the web page, however with no PW set, selecting Enter or Login does nothing. Just sits there. I cleared all browser caches and still nothing. I factory reset the router via push pin button and I could get to the router mode web page and log in. Selecting Bridge mode again from the routers web page, it rebooted and again, I can access the log in page in bridge mode however enter or Log in does nothing. So I did the recovery mode method and loaded v1.12 on to the router. The FW took and it rebooted however my PC would not get an IP address, so I power cycled the router off then back on then the PC finally got an IP address. I logged into the router in router mode and selected Bridge mode and let it reboot. I set the PC for static IP and waited for the router to come to ready. This time I could get to the web page and can log in and get into the routers web page in bridge mode.
Not sure what happens to cause this odd log in behavior on this version of FW while in bridge mode. Something users to be aware of. I presume D-Link won't do anything since the 868L is EOL. Wanted to let others know.
I'll try and reload this version again and see if I can reproduce.
-
FYI there is a new security patch FW available for the 868L. I'll download this and check it out. I presume existing problems are not corrected, i.e. QoS and Bridge mode stops working.
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10147
I'll post my experiences...
-
FYI, Security update for the DIR-868L Rev B Only:
http://forums.dlink.com/index.php?topic=75404.0 (http://forums.dlink.com/index.php?topic=75404.0)