changed 3 years ago
Published Linked with GitHub

CVE-2021-46009

by KVS

  • Description
    Multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies, and an attacker can enable telnet and login to root with a shell.

  • Affected version
    Totolink A3100R V5.9c.4577

  • Root Cause Analysis
    a. Session management is not executed well, and pages' source code can be viewed with curl or Burp Suite.
    b. It lacks an authorization check when you only want to POST a new setting to the target.

  • Proof-of-Concept

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

Select a repo