Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[FurryNutz]

D-Link posted DCS-933L Rev B firmware version,which can be downloaded here: DCS-933L Rev A  - Firmware v1.13 B05 Download.

Problems Fixed
1.   Fixed CSRF vulnerability for the camera’s web-UI (Exclude CGI APIs).
2.   Fixed an issue where IP Camera blocks CGI request from Chrome and Edge.

New Features
1.   Update the mydlink agent to v2.0.20-b10.
2.   Remove the Direct Mode function.
3.   Upgrade OpenSSL library to 1.0.1f.

• DCS-933L - Firmware Release Notes
  
• Network Cameras - Important Posts & Information
  
• Network Cameras - Beta Firmware Terms and Conditions
  
• Network Cameras - Why Have Multiple Hardware Versions for the Same Model?
  
  

Please post your comments and observations as a reply to this thread.

    

[rjms]

DCS-933L Rev A  - Firmware v1.13 B05
(...)
2.   Remove the Direct Mode function.
3.   Upgrade OpenSSL library to 1.0.1f.

So, who'll be brave enough to try first?

Wondering if they introduced the same annoyances as the newest 930L(A) firmware... or worst, if they circumvented the referrer hack that palliated those annoyances...

Questions:

• Anyone knows if this is reversible to older firmware?
• What is "Direct Mode function", anything we'll miss? Can't find it in the 1.12.03 interface.
  Is it to view video directly in a browser (CGI) without java?
  Does it affect use with 3rd party apps (like iSpy)?
• OpenSSL 1.0.1f dates back to January 2014! It's currently (2016-09) at 1.0.1u... Ok, not a question, just an observation that begs a question...

Note: strangely, the PDF mentions 2016-01-18 as date of release for 1.13.05, including a typo that states 931L... maybe a crude cut&paste from an earlier update for 931L.

[FurryNutz]

i already have this loaded. Works well. There was a delay in getting the release notes to the web guys so even though the dates are correct, the actual release was delayed posting to the web site.

You can downgrade FW versions.

[rjms]

Works well.

So, can you access, say, your_cam_IP/image.htm directly (e.g. for bookmarking for quick access) without getting the "The request is forbidden" message?

You can downgrade FW versions.

Good to know, thanks.

[FurryNutz]

I haven't tried that. I'll give it a go this weekend and let you know.

[rjms]

Now that I upgraded the firmware, I can confirm it has the same  ridiculous  misbehavior where simply browsing directly on any page of the web UI gives a "The request is forbidden" message.
You have to go through it's home page to get to the other pages.

They'll claim it's for security, but it's not true since you can overcome by simply spoofing the referrer in cURL or through a Greasemonkey script (both tested), or probably through some Extension that can change the referrer (not tested).

*Sigh*

[FurryNutz]

What browser and OS platform are you using ?

Now that I upgraded the firmware, I can confirm it has the same  ridiculous  misbehavior where simply browsing directly on any page of the web UI gives a "The request is forbidden" message.
You have to go through it's home page to get to the other pages.

They'll claim it's for security, but it's not true since you can overcome by simply spoofing the referrer in cURL or through a Greasemonkey script (both tested), or probably through some Extension that can change the referrer (not tested).

*Sigh*

[rjms]

The bug (or intended "feature") can is reproduced on the following OSes and browsers:

• Windows 7 x64, Firefox (unless as noted above I use a Greasemonkey script to spoof referrer)
• Windows 7 x64, IE11
• Android (on Nexus 7), Firefox
• Linux Mint 17, Firefox

Of course, no immediate results on Chrome (or Chromium) on Windows, Android or Linux because DLink actively blocks access from that browser anyway...
... unless I use an agent spoofer, which will perfectly show the web UI, but again going directly to individual pages gives the error message.

[FurryNutz]

Thank you for this information. I'll try this with my 933L this evening. 

The bug (or intended "feature") can is reproduced on the following OSes and browsers:

• Windows 7 x64, Firefox (unless as noted above I use a Greasemonkey script to spoof referrer)
• Windows 7 x64, IE11
• Android (on Nexus 7), Firefox
• Linux Mint 17, Firefox

Of course, no immediate results on Chrome (or Chromium) on Windows, Android or Linux because DLink actively blocks access from that browser anyway...
... unless I use an agent spoofer, which will perfectly show the web UI, but again going directly to individual pages gives the error message.

[FurryNutz]

Ya I can confirm the forbidden message when using IPaddress/image.htm.

This maybe something D-Link is blocking now.