Jump to content
  • 0

/a


Ahmed Ensar

Question

3 answers to this question

Recommended Posts

  • 0
2 часа назад, Ahmed Ensar сказал:

Google Translate:

Why does the user account without command interface authority have permission to enter this page and execute commands?

 

This tag

tag http

allows the "test" user to use the web UI. It also automatically allows the user to make REST API calls.

The page where you enter the command in your screenshot uses this API to communicate with the device.
 

We probably can lock this page from the "readonly" users, but any of those users will still be able

to open a new tab in the browser and read parts of the configuration (e.g. my.keenetic.net/rci/user -- list of users with tags)

 

  • Thanks 1
Link to comment
Share on other sites

  • 0
28 minutes ago, eralde said:

This tag


tag http

allows the "test" user to use the web UI. It also automatically allows the user to make REST API calls.

The page where you enter the command in your screenshot uses this API to communicate with the device.
 

We probably can lock this page from the "readonly" users, but any of those users will still be able

to open a new tab in the browser and read parts of the configuration (e.g. my.keenetic.net/rci/user -- list of users with tags)

 

Google Translate:

I hope they fix these vulnerabilities. 

Link to comment
Share on other sites

  • 0
В 05.06.2021 в 18:24, Ahmed Ensar сказал:

Google Translate:

I hope they fix these vulnerabilities. 

This is not the vulnerability. Read-only tag enforces firmware to block modifying commands, but read-only commands (and reading configs / files for example) explicitly allowed. This is by design and cannot be changed. Probably you haven't understood what the 'read-only' tags means in real.

Try to execute any modifying command and you will see.

  • Confused 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...