Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[FurryNutz]

D-Link posted DCS-930L Rev A firmware version v1.15 B04 which can be downloaded here: http://support.dlink.com/ProductInfo.aspx?m=DCS-930L

Problems Fixed
1. Fixed CSRF vulnerability for the camera’s web-UI (Exclude CGI APIs).
2. Fixed the “RSA-CRT key leaks” vulnerability.
3. Fixed the “LANDAP stack overflow“ vulnerability. (discovered by search SEARCH-LAB)
4. Remove the “Arbitrary file upload interface” vulnerability. (discovered by search SEARCH-LAB)
5. Fixed an issue that Time zone setting for Minsk should be GMT+3.
6. Fixed a vulnerability - Authenticated Arbitrary File Upload with Root Privileges. (discovered by IOActive Security)
7. Fixed a vulnerability - Authenticated Root OS Command Injection in File Upload. (discovered by IOActive Security)
8. Fixed an XSS vulnerability - Stored XSS in User Name. (discovered by IOActive Security) 
9. Fixed an XSS vulnerability - Reflected XSS in HTTP Host Header. (discovered by IOActive Security)

New Features
1.   Upgrade mydlink agent to 2.1.0-b27.
2.   Change the HTTPs self-signed certificate to SHA2 algorithms.
3.   Support Mydlink UID mechanism (mdb get dev_uid)
4.   Change the support page hyperlink of Firmware Upgrade web-UI to www.dlink.com.
5.   Updated OpenSSL to v0.9.8o.
6.   Remove mDNSResponder daemon on the unit.
7.   Remove the Bonjour settings from the Network Setup web-UI
8.   Change the default system time to 2016-01-01
9.   Update the years in the copyright statement for IP Camera’s web-UI to 2016.
10.   Add authentication to CGI /config/stream_info.cgi.
11.   Offer the password validation on console port. (Console’s Password is synchronized with the admin’s password)

• Network Cameras - Important Posts & Information
  
• Network Cameras - Beta Firmware Terms and Conditions
  
• Network Cameras - Why Have Multiple Hardware Versions for the Same Model?
  
  

Please post your comments and observations as a reply to this thread.

    

[rjms]

Hmm... seems controlling from a script doesn't work anymore... "The request is forbidden"
(see http://forums.dlink.com/index.php?topic=59969.msg243501#msg243501 )

Also, simply entering a direct URL on the web UI doesn't work, must click on web UI links
e.g. entering http://[you ipcam's local IP]/upload.htm in address bar for direct access to FTP also results in "The request is forbidden"... must click the FTP link.

Anyone can confirm? If so, any work around, or new method?

[FurryNutz]

There are a few security fixes on this and I'm wondering if what you were using before has been closed due to one of these fixes. You might phone contact D-Link support and ask about this...

[rjms]

They probably decided to throw the baby with the bathwater...

At least the video streams URLs are still accessible to 3rd party software (eg ispy).

Will wait a bit to see what others observe before downgrading...

/edit: Adding a proper "--referer" to the curl's prevents error page, but new settings won't apply... still looking into it, all might not be lost for automation.

/edit #2: The "--referer" solves the curl problem after all, the settings apply. Still a bit ridiculous that one can't access a page directly, e.g. your_cam_IP/image.htm gives "forbidden" message.

[FurryNutz]

Thanks for updating us with this info. Hope it helps.

They probably decided to throw the baby with the bathwater...

At least the video streams URLs are still accessible to 3rd party software (eg ispy).

Will wait a bit to see what others observe before downgrading...

/edit: Adding a proper "--referer" to the curl's prevents error page, but new settings won't apply... still looking into it, all might not be lost for automation.

/edit #2: The "--referer" solves the curl problem after all, the settings apply. Still a bit ridiculous that one can't access a page directly, e.g. your_cam_IP/image.htm gives "forbidden" message.

[rstark18]

Seems as though www.mydlink.com/download has pulled 1.15 and has 1.14 as the most current. Anyone have any ideas why?

[FurryNutz]

its' available on D-Links main support site.

[acellier]

I totally agree - breaks a number of php/html pages that we use.

[rjms]

I totally agree - breaks a number of php/html pages that we use.

Have you tried referer spoofing in PHP, if possible like above with curl?

[rangea2]

I have 2 cameras 930. The app force me to update the firmware, then after update the firmware, my cameras start frezzing and get disconected from the app. I have to manually diconnect the energy and connect again.

Is there a solution?

[FurryNutz]

Link>Welcome!

• What region are you located?

What Mfr and model is the main host router?
What wireless modes are you using?
What is the distance between the Camera and the main host router?
How many other wireless devices do you have connected to the main host router?

• Any 2.4Ghz or 5Ghz cordless house phones or WiFi APs near by that maybe causing interferences?
• Any other WiFi routers in the area that maybe causing interferences? Link> Use a WiFi Scanner to find out. How many?

I recommend setting a static IP address ON the cameras outside of the main host routers default DHCP IP address pool as a troubleshooting step: 192.168.#.93 and .94  DHCP

Test cameras with uPnP and uPnP Port Forwarding both enabled on ALL cameras: DCS Cloud (L) Series Camera Configuration and Mydlink.com

Can you connect the cameras to a LAN wired cable connection and manually factory reset, manually update the FW on both then factory reset once more then set up from scratch?

[FurryNutz]

Currently its the v2.12
http://support.dlink.com/ProductInfo.aspx?m=DCS-930L

where is the new Firmware for  DCS-930LB1.....its 2.13

[FurryNutz]

What region are you located? 

where is the new Firmware for  DCS-930LB1.....its 2.13

[TelfordPa]

I figured it out everything is fine now

[FurryNutz]

 

Enjoy.