| Título | Tenda CH22 V1.0.0.1 Authentication Bypass Issues |
|---|
| Descripción | A critical authentication bypass vulnerability exists in the CH22 V1.0.0.1 firmware. The vulnerability is located in the R7WebsSecurityHandler function, which acts as the security filter for HTTP requests. The application defines a whitelist of URL prefixes (e.g., /public/, /lang/, /images/) that are allowed to be accessed without authentication. The function uses strncmp to check if the request URL begins with these trusted prefixes: e.g., if ( !strncmp(s1, "/public/", 8u) ... return 0;.
However, the application fails to validate or canonicalize the subsequent part of the URL. An unauthenticated remote attacker can send a crafted HTTP request that starts with a whitelisted prefix but employs directory traversal sequences (../) to escape the restricted directory. For example, a request to /public/../../system_upgrade.asp will satisfy the strncmp check (bypassing authentication) but will be resolved by the web server to the sensitive system_upgrade.asp page, granting full administrative access. |
|---|
| Fuente | ⚠️ https://github.com/master-abc/cve/blob/main/Tenda%20CH22%20V1.0.0.1%20Router%20Authentication%20Bypass%20Vulnerability%20in%20R7WebsSecurityHandler%20function.md |
|---|
| Usuario | jiefengliang (UID 93721) |
|---|
| Sumisión | 2025-12-22 09:48 (hace 6 meses) |
|---|
| Moderación | 2025-12-24 17:54 (2 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 338333 [Tenda CH22 1.0.0.1 /public/ recorrido de directorios] |
|---|
| Puntos | 20 |
|---|