D-Link Forums

The Graveyard - Products No Longer Supported => Routers => DIR-868L => Topic started by: FurryNutz on February 28, 2018, 09:23:15 AM

Title: New - DIR-868L Rev A v1.20 Build 01 Beta FW - Official Security Release
Post by: FurryNutz on February 28, 2018, 09:23:15 AM
Firmware:   v1.20 Build 01 Beta   02/28/2018 WW Region!
Revision Info:   
¤Problems Resolved:
Reported: 01/14/2018
Discovered by: Kaixiang Zhang of Qihoo 360 Gear Team

CVE-2018-6527 - XSS vulnerability in htdocs/webinc/js/adv_parent_ctrl_map.php allowing remote attackers to read a cookie via a crafted deviceid parameter to soap.cgi.

CVE-2018-6528 - XSS vulnerability in htdocs/webinc/body/bsc_sms_send.php allowing remote attackers to read a cookie via a crafted receiver parameter to soap.cgi

CVE-2018-6529 - XSS vulnerability in htdocs/webinc/js/bsc_sms_inbox.php allowing remote attackers to read a cookie via a crafted Treturn parameter to soap.cgi.

CVE-2018-6530 - OS command injection vulnerability in soap.cgi (soapcgi_main incgibin) allowing remote attackers to execute arbitrary OS commands via the service parameter.


NOTE: Follow the>FW Update Process (http://forums.dlink.com/index.php?topic=42457.0)

Get it here:
DIR-868L (http://support.dlink.com/productinfo.aspx?m=DIR-868L)


Title: Re: New - DIR-868L Rev A v1.20 Build 01 Beta FW - Official Security Release
Post by: AFRK on March 18, 2018, 09:39:57 PM
Hello and thanks for updating the firmware to fix the vulnerability

after doing the firmware update as described, im no longer getting any info on the web interface of my router, and i getting a InitGeneral() ERROR!!!

Any way to fix this issue? im trying to set up again the date and time but nothing is getting saved, so i dont want to reset the router because im not sure if anything is going to get saved and i end with a router that i cant reconfigure.

heres a SS of the issue im having.

Thanks for your help.

(https://trovrg.bn.files.1drv.com/y4mveulR5UbhBlP2GKTRA_tqEAyM6GfGdexr7vKbZ8SvqvaF7nU2iMeCu4Vhz6PSBoczbqbDRw2YHnwYvH2b_gpQV8Re6Jyc5N1AQ93iRtJlNAmRLmMHfc6QGmV37qmcZcnHEP3SLSfeL8B4pUDmmjCoGP3BN7PRBzjcb_-QSq8dkhxVynTMtUaqFQgeKyWXjxyhf_4wg8kUsOXoLb3SHSnbA?)
Title: Re: New - DIR-868L Rev A v1.20 Build 01 Beta FW - Official Security Release
Post by: FurryNutz on March 19, 2018, 10:49:16 AM
Link>Welcome! (http://forums.dlink.com/index.php?topic=48135.0)


What browser are you using?
Try Opera or FF? If IE 8, 9, 10 or 11, set compatibility mode and test again. (For older generation routers.)
Disable any security browser Add-ons like No Script and Ad-Block or configure them to allow All Pages when connected to the router.
Clear all browser caches.

Hello and thanks for updating the firmware to fix the vulnerability

after doing the firmware update as described, im no longer getting any info on the web interface of my router, and i getting a InitGeneral() ERROR!!!

Any way to fix this issue? im trying to set up again the date and time but nothing is getting saved, so i dont want to reset the router because im not sure if anything is going to get saved and i end with a router that i cant reconfigure.

heres a SS of the issue im having.

Thanks for your help.

(https://trovrg.bn.files.1drv.com/y4mveulR5UbhBlP2GKTRA_tqEAyM6GfGdexr7vKbZ8SvqvaF7nU2iMeCu4Vhz6PSBoczbqbDRw2YHnwYvH2b_gpQV8Re6Jyc5N1AQ93iRtJlNAmRLmMHfc6QGmV37qmcZcnHEP3SLSfeL8B4pUDmmjCoGP3BN7PRBzjcb_-QSq8dkhxVynTMtUaqFQgeKyWXjxyhf_4wg8kUsOXoLb3SHSnbA?)
Title: Re: New - DIR-868L Rev A v1.20 Build 01 Beta FW - Official Security Release
Post by: Hans Gruber on June 04, 2018, 05:58:59 AM
Hi, thanks for this updated firmware. Does it include the KRACK fix? Thanks.
Title: Re: New - DIR-868L Rev A v1.20 Build 01 Beta FW - Official Security Release
Post by: FurryNutz on June 04, 2018, 06:59:50 AM
Doesn't look like it.

I don't see it on the list for a KRACK fix either:
http://forums.dlink.com/index.php?topic=72763.0 (http://forums.dlink.com/index.php?topic=72763.0)

I'll ask about this and see. The 868L is EOL so not sure if it will get anything more.

Hi, thanks for this updated firmware. Does it include the KRACK fix? Thanks.
Title: Re: New - DIR-868L Rev A v1.20 Build 01 Beta FW - Official Security Release
Post by: GreenBay42 on June 05, 2018, 07:03:21 AM
If the product is not on this list, it is (most likely) not affected --> https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10075 (https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10075)

The 868 is not on the list.
Title: Re: New - DIR-868L Rev A v1.20 Build 01 Beta FW - Official Security Release
Post by: FurryNutz on June 05, 2018, 08:26:47 AM
Thank you.

Title: Re: New - DIR-868L Rev A v1.20 Build 01 Beta FW - Official Security Release
Post by: Hans Gruber on June 06, 2018, 07:27:37 AM
Thanks for the replies.
Title: Re: New - DIR-868L Rev A v1.20 Build 01 Beta FW - Official Security Release
Post by: FurryNutz on June 06, 2018, 07:37:03 AM
 ;)
Title: Re: New - DIR-868L Rev A v1.20 Build 01 Beta FW - Official Security Release
Post by: FurryNutz on October 24, 2018, 04:02:56 PM
Just want to report that I found my 868L not responding in wireless bridge mode with a DISH Joey connected to it and to a non D-Link wireless AP on 5Ghz. I tired power cycling the 868L and connecting to the UI while in bridge mode. I found that using IE and FF and other browsers I could get to the web page, however with no PW set, selecting Enter or Login does nothing. Just sits there. I cleared all browser caches and still nothing. I factory reset the router via push pin button and I could get to the router mode web page and log in. Selecting Bridge mode again from the routers web page, it rebooted and again, I can access the log in page in bridge mode however enter or Log in does nothing. So I did the recovery mode method and loaded v1.12 on to the router. The FW took and it rebooted however my PC would not get an IP address, so I power cycled the router off then back on then the PC finally got an IP address. I logged into the router in router mode and selected Bridge mode and let it reboot. I set the PC for static IP and waited for the router to come to ready. This time I could get to the web page and can log in and get into the routers web page in bridge mode.

Not sure what happens to cause this odd log in behavior on this version of FW while in bridge mode. Something users to be aware of. I presume D-Link won't do anything since the 868L is EOL. Wanted to let others know.

I'll try and reload this version again and see if I can reproduce.