D-Link DIR-823X OS Command Injection Vulnerability

A command injection vulnerability has been identified in the D-Link DIR-823X router, specifically in the 250416 version. The issue arises in the '/goform/set_language' endpoint, where the 'langSelection' parameter is not properly sanitized. This flaw allows authenticated attackers to inject arbitrary shell commands, which are executed with root privileges via the system shell when the language configuration is saved.

Impact

Exploitation of this vulnerability allows for remote command execution on the affected device, with the injected commands being executed as the root user.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/goform/set_language' endpoint with a payload that includes newline characters. This payload will bypass the application's input sanitization and inject commands that will be executed with root privileges.