D-Link posted DCS-932L Rev A firmware version
v1.13 B04 which can be downloaded here:
https://www.mydlink.com/download.
Problems Fixed 1. Fixed CSRF vulnerability for the camera’s web-UI (Exclude CGI APIs).
2. Fixed the “RSA-CRT key leaks” vulnerability.
3. Fixed the “LANDAP stack overflow“ vulnerability. (discovered by search SEARCH-LAB)
4. Remove the “Arbitrary file upload interface” vulnerability. (discovered by search SEARCH-LAB)
5. Fixed an issue that Time zone setting for Minsk should be GMT+3.
6. Fixed a vulnerability - Authenticated Arbitrary File Upload with Root Privileges. (discovered by IOActive Security)
7. Fixed a vulnerability - Authenticated Root OS Command Injection in File Upload. (discovered by IOActive Security)
8. Fixed an XSS vulnerability - Stored XSS in User Name. (discovered by IOActive Security)
9. Fixed an XSS vulnerability - Reflected XSS in HTTP Host Header. (discovered by IOActive Security)
New Features 1. Upgrade mydlink agent to 2.1.0-b27.
2. Change the HTTPs self-signed certificate to SHA2 algorithms.
3. Support Mydlink UID mechanism (mdb get dev_uid)
4. Change the support page hyperlink of Firmware Upgrade web-UI to www.dlink.com.
5. Updated OpenSSL to v0.9.8o.
6. Remove mDNSResponder daemon on the unit.
7. Remove the Bonjour settings from the Network Setup web-UI
8. Change the default system time to 2016-01-01
9. Update the years in the copyright statement for IP Camera’s web-UI to 2016.
10. Add authentication to CGI /config/stream_info.cgi.
11. Offer the password validation on console port. (Console’s Password is synchronized with the admin’s password)
Please post your comments and observations as a reply to this thread.
Author
Topic: New - DCS-932L Rev A v1.13.04 Firmware Comments & Observations (Read 3679 times)