vendor:
Netgear Wireless Router WNR500
by:
Gjoko 'LiquidWorm' Krstic
5.5
CVSS
MEDIUM
Parameter Traversal Arbitrary File Access
22
CWE
Product Name: Netgear Wireless Router WNR500
Affected Version From: WNR500 (firmware: 1.0.7.2)
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Platforms Tested:
2014
Netgear Wireless Router WNR500 Parameter Traversal Arbitrary File Access Exploit
The router suffers from an authenticated file inclusion vulnerability (LFI) when input passed thru the 'getpage' parameter to 'webproc' script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks.
Mitigation:
Upgrade to a firmware version that fixes the vulnerability.