D-Link DNS-323 contains a flaw that is due to the program failing to properly sanitize the 'T1' parameter, which uses a comma-delimited string that contains a SCHEDULE<NUM> element that is affected, upon submission to the /goform/right_now_d script. This may allow a remote attacker to potentially execute arbitrary code.
.arbitrary file upload
When one clicks in the "Save To" textbox or the "Browse" button, a popup appears with the directories on the "Volume_1" share. When one clicks the "+" sign to open a directory, a POST request is sent to /goform/GetNewDir with the following parameters:
A directory traversal is possible via the fNEW_DIR variable, and we can browse not only the directories, but the files too with setting f_file to "1". So, for example with the following params one can browse /: