|
Description
|
|
Matan Azugi has reported two vulnerabilities in the TP-LINK TL-WR841N Router, which can be exploited by malicious people to disclose potentially sensitive information and conduct cross-site request forgery attacks.
1) Input appended to the URL after help/ is not properly verified before being used. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences.
2) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. modify user credentials if a logged-in administrative user visits a malicious web site.
The vulnerabilities are reported in firmware version 3.13.9 build 120201 Rel.54965n. Other versions may also be affected.
|
|
|
|
|
|
Vulnerable Products
|
|
Vulnerable OS:
TP-LINK TL-WR841N RouterVulnerable Software:
|
|
|
|
|
|
Solution
|
|
No official solution is currently available.
|
|
|
|
|
|
CVE
|
|
CVE-2012-5687
|
|
|
|
|
|
References
|
|
http://archives.neohapsis.com/archives/fulldisclosure/2012-10/0224.html
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0094.html
|
|
|
|
|
|
Vulnerability Manager Detection
|
|
No
|
|
|
|
|
|
IPS Protection
|
|
|
|
|
|
|
