CVE-2023-XXXX2: GL.iNET Auth Token in GET Query String

#web #security-research #iot

CVE-2023-XXXX2: GL.iNET Auth Token in GET Query String

  • CVSS Score - 5.3, Medium (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)
  • Overview - When the OpenVPN server config is exported through the web GUI, the admin authentication token is passed through a GET parameter instead of the Authorization HTTP header, meaning the token is more visible and has a greater chance of being stolen.
  • Description - Including sensitive tokens in the query string of GET requests can be a vulnerability (link1, link2, link3) since query strings are visible in various ways. For example, query strings are logged in web requests and proxies, can show up in browser history, and even in Referer headers when a third party is visited afterwards. The API is set to accept tokens through the Authorization header, POST parameters, or GET parameters. Most of the requests made to the API put the token in the Authorization header except for this one.

Fix

This was fixed in version 3.216.

Note - a request for a CVE has been made but I haven’t heard back yet. I’ll update this when I know

PoC


Theme Pure | Powered by Hexo and Cookies I take no responsibility for anything on this site because that's too much work