D-Link DNS-323 contains a flaw that is due to the program failing to properly sanitize input passed via the 'fNEW_DIR' parameter upon submission to the /goform/GetNewDir script. This may allow a remote attacker to overwrite arbitrary files.
.arbitrary file upload
When one clicks in the "Save To" textbox or the "Browse" button, a popup appears with the directories on the "Volume_1" share. When one clicks the "+" sign to open a directory, a POST request is sent to /goform/GetNewDir with the following parameters:
A directory traversal is possible via the fNEW_DIR variable, and we can browse not only the directories, but the files too with setting f_file to "1". So, for example with the following params one can browse /: