Ahmed Ensar Posted June 5, 2021 Share Posted June 5, 2021 Google Translate: Why does the user account without command interface authority have permission to enter this page and execute commands? Quote Link to comment Share on other sites More sharing options...
0 eralde Posted June 5, 2021 Share Posted June 5, 2021 2 часа назад, Ahmed Ensar сказал: Google Translate: Why does the user account without command interface authority have permission to enter this page and execute commands? This tag tag http allows the "test" user to use the web UI. It also automatically allows the user to make REST API calls. The page where you enter the command in your screenshot uses this API to communicate with the device. We probably can lock this page from the "readonly" users, but any of those users will still be able to open a new tab in the browser and read parts of the configuration (e.g. my.keenetic.net/rci/user -- list of users with tags) 1 Quote Link to comment Share on other sites More sharing options...
0 Ahmed Ensar Posted June 5, 2021 Author Share Posted June 5, 2021 28 minutes ago, eralde said: This tag tag http allows the "test" user to use the web UI. It also automatically allows the user to make REST API calls. The page where you enter the command in your screenshot uses this API to communicate with the device. We probably can lock this page from the "readonly" users, but any of those users will still be able to open a new tab in the browser and read parts of the configuration (e.g. my.keenetic.net/rci/user -- list of users with tags) Google Translate: I hope they fix these vulnerabilities. Quote Link to comment Share on other sites More sharing options...
0 Le ecureuil Posted June 7, 2021 Share Posted June 7, 2021 В 05.06.2021 в 18:24, Ahmed Ensar сказал: Google Translate: I hope they fix these vulnerabilities. This is not the vulnerability. Read-only tag enforces firmware to block modifying commands, but read-only commands (and reading configs / files for example) explicitly allowed. This is by design and cannot be changed. Probably you haven't understood what the 'read-only' tags means in real. Try to execute any modifying command and you will see. 1 Quote Link to comment Share on other sites More sharing options...
Question
Ahmed Ensar
Google Translate:
Why does the user account without command interface authority have permission to enter this page and execute commands?
Link to comment
Share on other sites
3 answers to this question
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.