| タイトル | D-Link DIR-852 1.00CN B09 Exposure of Sensitive Information Through Data Queries |
|---|
| 説明 | An authentication bypass vulnerability was discovered in the `getcfg.php` endpoint of some D-Link router firmwares. The vulnerability stems from a logical flaw in the order of operations within the `phpcgi_main` function of the underlying `cgibin` binary when handling user POST parameters and server-side session state. The application first parses user-controllable POST data before appending the server-generated session validation result (e.g., `AUTHORIZED_GROUP=-1`).
Due to a "first-occurrence-priority" principle in the back-end parsing engine, an attacker can inject a forged `AUTHORIZED_GROUP=1` parameter in the POST request to preemptively define the authorization state, causing the legitimate result to be ignored. An unauthenticated remote attacker can exploit this vulnerability to bypass access controls, call `getcfg.php`, and retrieve sensitive device configuration information, such as administrator account credentials. |
|---|
| ソース | ⚠️ https://github.com/i-Corner/cve/issues/21 |
|---|
| ユーザー | iC0rner (UID 82839) |
|---|
| 送信 | 2025年08月31日 14:26 (9 月 ago) |
|---|
| モデレーション | 2025年09月08日 07:04 (8 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 323049 [D-Link DIR-852 迄 1.00CN B09 Device Configuration /getcfg.php phpcgi_main 情報漏えい] |
|---|
| ポイント | 20 |
|---|