D-Link DI-7300G+ OS Command Injection Vulnerability

A critical command injection vulnerability has been identified in the D-Link DI-7300G+ router, specifically in version 19.12.25A1. The issue arises in the file 'proxy_client.asp', where the parameters 'proxy_srv', 'proxy_lanport', 'proxy_lanip', and 'proxy_srvport' can be manipulated to inject operating system commands. This vulnerability can be exploited remotely, allowing attackers to execute arbitrary commands and potentially gain full control over the affected device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device, with the potential for full control over the router.

Reproduction

The vulnerability can be reproduced by sending a request to the 'proxy_client.asp' file with crafted parameters that include the 'proxy_srv', 'proxy_lanport', 'proxy_lanip', and 'proxy_srvport' values. This can be done remotely, taking advantage of the command injection flaw to execute arbitrary commands on the device.