TOTOLINK CA300-POE Command Injection Vulnerability in Firmware Upgrade Function

A command injection vulnerability has been identified in the TOTOLINK CA300-POE router, specifically in the firmware version V6.2c.884_B20180522. The issue arises in the 'recvUpgradeNewFw' function, where the 'fwUrl' parameter can be manipulated to execute arbitrary commands on the device. This vulnerability can be exploited by sending a crafted request that includes the malicious command in the 'fwUrl' parameter.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/cstecgi.cgi' on the device's IP address. Include the 'topicurl' parameter set to 'recvUpgradeNewFw' and the 'fwUrl' parameter with a crafted value that includes the desired command, such as '1;pwd;'.