D-Link Forums

The Graveyard - Products No Longer Supported => IP Cameras => DCS-932L => Topic started by: FurryNutz on July 26, 2016, 09:10:42 AM

Title: New - DCS-932L Rev A v1.13.04 Firmware Comments & Observations
Post by: FurryNutz on July 26, 2016, 09:10:42 AM
D-Link posted DCS-932L Rev A firmware version v1.13 B04 which can be downloaded here: https://www.mydlink.com/download (https://www.mydlink.com/download).

Problems Fixed
1. Fixed CSRF vulnerability for the camera’s web-UI (Exclude CGI APIs).
2. Fixed the “RSA-CRT key leaks” vulnerability.
3. Fixed the “LANDAP stack overflow“ vulnerability. (discovered by search SEARCH-LAB)
4. Remove the “Arbitrary file upload interface” vulnerability. (discovered by search SEARCH-LAB)
5. Fixed an issue that Time zone setting for Minsk should be GMT+3.
6. Fixed a vulnerability - Authenticated Arbitrary File Upload with Root Privileges. (discovered by IOActive Security)
7. Fixed a vulnerability - Authenticated Root OS Command Injection in File Upload. (discovered by IOActive Security)
8. Fixed an XSS vulnerability - Stored XSS in User Name. (discovered by IOActive Security) 
9. Fixed an XSS vulnerability - Reflected XSS in HTTP Host Header. (discovered by IOActive Security)

New Features
1.   Upgrade mydlink agent to 2.1.0-b27.
2.   Change the HTTPs self-signed certificate to SHA2 algorithms.
3.   Support Mydlink UID mechanism (mdb get dev_uid)
4.   Change the support page hyperlink of Firmware Upgrade web-UI to www.dlink.com.
5.   Updated OpenSSL to v0.9.8o.
6.   Remove mDNSResponder daemon on the unit.
7.   Remove the Bonjour settings from the Network Setup web-UI
8.   Change the default system time to 2016-01-01
9.   Update the years in the copyright statement for IP Camera’s web-UI to 2016.
10.   Add authentication to CGI /config/stream_info.cgi.
11.   Offer the password validation on console port. (Console’s Password is synchronized with the admin’s password)


Please post your comments and observations as a reply to this thread.

 :)  ;)  :)