| Titel | D-Link DIR-852 1.00CN B09 Exposure of Sensitive Information Through Data Queries |
|---|
| Beschreibung | An authentication bypass vulnerability was discovered in the `getcfg.php` endpoint of some D-Link router firmwares. The vulnerability stems from a logical flaw in the order of operations within the `phpcgi_main` function of the underlying `cgibin` binary when handling user POST parameters and server-side session state. The application first parses user-controllable POST data before appending the server-generated session validation result (e.g., `AUTHORIZED_GROUP=-1`).
Due to a "first-occurrence-priority" principle in the back-end parsing engine, an attacker can inject a forged `AUTHORIZED_GROUP=1` parameter in the POST request to preemptively define the authorization state, causing the legitimate result to be ignored. An unauthenticated remote attacker can exploit this vulnerability to bypass access controls, call `getcfg.php`, and retrieve sensitive device configuration information, such as administrator account credentials. |
|---|
| Quelle | ⚠️ https://github.com/i-Corner/cve/issues/21 |
|---|
| Benutzer | iC0rner (UID 82839) |
|---|
| Einreichung | 31.08.2025 14:26 (vor 9 Monaten) |
|---|
| Moderieren | 08.09.2025 07:04 (8 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 323049 [D-Link DIR-852 bis 1.00CN B09 Device Configuration /getcfg.php phpcgi_main Information Disclosure] |
|---|
| Punkte | 20 |
|---|