| عنوان | D-Link DIR-852 1.00CN B09 Exposure of Sensitive Information Through Data Queries |
|---|
| الوصف | An authentication bypass vulnerability was discovered in the `getcfg.php` endpoint of some D-Link router firmwares. The vulnerability stems from a logical flaw in the order of operations within the `phpcgi_main` function of the underlying `cgibin` binary when handling user POST parameters and server-side session state. The application first parses user-controllable POST data before appending the server-generated session validation result (e.g., `AUTHORIZED_GROUP=-1`).
Due to a "first-occurrence-priority" principle in the back-end parsing engine, an attacker can inject a forged `AUTHORIZED_GROUP=1` parameter in the POST request to preemptively define the authorization state, causing the legitimate result to be ignored. An unauthenticated remote attacker can exploit this vulnerability to bypass access controls, call `getcfg.php`, and retrieve sensitive device configuration information, such as administrator account credentials. |
|---|
| المصدر | ⚠️ https://github.com/i-Corner/cve/issues/21 |
|---|
| المستخدم | iC0rner (UID 82839) |
|---|
| ارسال | 31/08/2025 02:26 PM (9 أشهر منذ) |
|---|
| الاعتدال | 08/09/2025 07:04 AM (8 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 323049 [D-Link DIR-852 حتى 1.00CN B09 Device Configuration /getcfg.php phpcgi_main الكشف عن المعلومات] |
|---|
| النقاط | 20 |
|---|