Tenda CH22 Router Authentication Bypass via URL Prefix Bypass in R7WebsSecurityHandler

Critical Vulnerability Information Title: Tenda CH22 V1.0.0.1 Authentication Bypass Issues Description: A severe authentication bypass vulnerability exists in the Tenda CH22 V1.0.0.1 firmware. The vulnerability resides in the R7WebsSecurityHandler function, which serves as an HTTP request security filter. The application defines a whitelist of URL prefixes allowed to be accessed without authentication (e.g., /public/, /lang/, /images/). The function uses strncmp to check if the requested URL starts with these trusted prefixes—for example, if (!strncmp(s1,"/public/",8u) ...) returns 0. However, the application fails to validate or normalize the subsequent parts of the URL. Unauthorized remote attackers can send a carefully crafted HTTP request that begins with a whitelisted prefix but includes directory traversal sequences (../../) to escape restricted directories. For instance, a request to /public/../../system_upgrade.asp will pass the strncmp check (bypassing authentication), but will be resolved by the web server as the sensitive system_upgrade.asp page, granting full administrative access. Source: https://github.com/master-abc/cve/blob/main/Tenda%20CH22%20V1.0.0.1%20Router%20Authentication%20Bypass%20Vulnerability%20in%20R7WebsSecurityHandler%20function.md Submitter: jiefengliang (UID 93721) Submission Time: December 22, 2022, 09:48 AM (7 days ago) Review Time: December 24, 2022, 05:54 PM (2 days later) Status: Accepted VulDB Entry: 338333 [Tenda CH22 1.0.0.1 /public/ Path Traversal] Points: 20

Goal Reached Thanks to every supporter — we hit 100%!

Tenda CH22 Router Authentication Bypass via URL Prefix Bypass in R7WebsSecurityHandler