D-Link DI-7001 MINI Command Injection Vulnerability in Upgrade Filter ASP

A command injection vulnerability has been identified in the D-Link DI-7001 MINI gateway, specifically in the firmware version 24.04.18B1. The issue arises in the file '/upgrade_filter.asp', where the 'path' argument can be manipulated to execute arbitrary operating system commands. This vulnerability can be exploited remotely by sending crafted HTTP POST requests.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device, potentially leading to unauthorized access or control over the device.

Reproduction

To reproduce this vulnerability, send a POST request to '/upgrade_filter.asp' with a 'path' parameter containing a command to be executed, such as a command to list directory contents redirected to a file.