Security Advisory: New firmware has been released that fixes the latest HNAP Privilege Escalation Vulnerability. Please ensure to upgrade your router to the latest firmware version. Click on on the Downloads tab below.
An attacker who wishes to gain access to the router sends an unprivileged HNAP command such as GetDeviceSettings, they append to the command an additional command separated with an “/”, which is used as a separator between commands. Any command(s) after the first will be executed unauthenticated. Additionally, additional commands will be passed directly to the underlying Linux system, allowing the injection of arbitrary system commands.
The GetDeviceSettings HNAP Command is used to indicate some very common parameters (e.g. the domain name of the HNAP device), as well as to define which HNAP commands are available.
My DIR-850L has firmware 1.06 now. Yesterday, I saw 1.09 is released in September, 2013.
I checked the release notes of it, below.
Firmware: v1.09 9/17/2013 NA and EU Region Revision Info:
¤ Block traffic between WAN and LAN ports during booting
¤ Fixed UPnP security issue
¤ Improved wireless IOT issue
¤ Enhanced direct access stability with mydlink SharePort app
Got DIR-850L at London Drugs. It is only $10 more than the one I got, DIR-845L at Costco. I did not see the benefits of SmartBeamTM Technology. So I spend $109 to get a new router with 802.11AC support. 802.11AC is a new standard. See new technologies data from Wiki.
Extended channel binding
Mandatory 80 MHz channel bandwidth for STAs (vs. 40 MHz maximum in 802.11n), 160 MHz available optionally