D-Link DCS-930L Command Injection Vulnerability in alphapd Component

A command injection vulnerability has been identified in the D-Link DCS-930L camera, specifically in the firmware version 1.15.04. The issue arises in the alphapd component, within the setSystemAdmin function. The vulnerability allows remote attackers to execute arbitrary operating system commands by manipulating the AdminID parameter, which is improperly sanitized before being executed. This vulnerability affects products that are no longer supported by the manufacturer.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the device.

Reproduction

To reproduce this vulnerability, send a POST request to the /setSystemAdmin endpoint. Include the AdminID parameter with a crafted value that exploits the command injection flaw, such as a command followed by a comment delimiter. The request must be authorized with basic authentication using admin credentials.