| 제목 | Tenda i3 V1.0.0.6(2204) Authentication Bypass Issues |
|---|
| 설명 | A critical authentication bypass vulnerability exists in the i3 V1.0.0.6(2204) firmware.
The vulnerability is located in the `R7WebsSecurityHandler` function, which acts as the security filter for HTTP requests.
The application defines a whitelist of URL prefixes (e.g., `/public/`, `/lang/`) that are allowed to be accessed without authentication. The function uses `strncmp` to check if the request URL begins with these trusted prefixes: e.g., `if ( !strncmp(s1, "/public/", 8u) ... return 0;`.
However, the application fails to validate or canonicalize the subsequent part of the URL.
An unauthenticated remote attacker can send a crafted HTTP request that starts with a whitelisted prefix but employs directory traversal sequences (`../`) to escape the restricted directory. For example, a request to `/lang/../system_upgrade.asp` will satisfy the `strncmp` check (bypassing authentication) but will be resolved by the web server to the sensitive `system_upgrade.asp` page, granting full administrative access.
|
|---|
| 원천 | ⚠️ https://github.com/MrXiaoFan/TendaVul/tree/main/tenda-i3-V1.0.0.6(2204)-R7WebsSecurityHandler-Authentication%20Bypass%20Issues |
|---|
| 사용자 | Fan95 (UID 95969) |
|---|
| 제출 | 2026. 03. 26. AM 10:04 (17 날 ago) |
|---|
| 모더레이션 | 2026. 04. 08. PM 07:35 (13 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 356297 [Tenda i3 1.0.0.6(2204) HTTP R7WebsSecurityHandler 디렉토리 순회] |
|---|
| 포인트들 | 20 |
|---|