Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[GaryNY]

I'm wondering if any of the D-Link cameras are vulnerable to the recently discovered shellshock bug (a bug in the Unix/Linux bash shell)? If they are, I wonder if a fix will be released, and in the mean time, if they are vulnerable, I would disable the uPNP port forwarding in my router, to make them not directly exposed to the internet. I expect this would reduce the risk considerably. To help me decide whether port forwarding is now too risky, I would like to know if there's any vulnerability.

[FurryNutz]

http://forums.dlink.com/index.php?topic=56542.0

[GaryNY]

OK, thanks for the quick response.  Based on that, it appears there should be no vulnerability. In general though, I've read web applications utilizing cgi or php could be exploited by sending a specially crafted URL, but this also requires that bash be the default shell (c or ksh could also be the default). I do note that many D-Link cameras do support cgi (for example, http://<ip-address>/image/jpeg.cgi?profileid=1 will return an image, so I wondered if it was possible to reach bash by altering this URL... sounds like the answer is no).

[FurryNutz]

You are correct. Even if it could be done, still need the log in information to gain access from the WAN side I believe. You can just arbitrarily send code to a device with out several processes being met from the WAN side.

[GaryNY]

Good point, I think you are correct about that, I can't use that cgi link without first logging in, and my camera requires a login.

[FurryNutz]