Path traversal in TP-LINK WR740 and possibly others
TP-Link WR740 routers are vulnerable to a path traversal vulnerability on the web administration interface. Unauthenticated users are able to read any file from the device.
|Models:||WR740N, WR740ND and possibly others.
Update: People have been reporting on forums that models WR743ND,WR842ND,WA-901ND,WR941N,WR941ND,WR1043ND,WR2543ND,MR3220,MR3020,WR841N are also based on the same HTTP daemon but we haven't been able to test it ourselves.
|Firmware:||3.12.11 Build 111130 Rel.55312n and possibly others|
|Impact:||Disclosure of configuration and password files.|
|Attack vector:||Remote. No auth required.|
The router TP-Link WR740ND/WR740N has a HTTP server running on port 80 handling the web management interface.
There exists a path traversal vulnerability in the URI "/help" that allows attackers to read any file including configurations.
It is possible to read other configuration files if the services have been configured previously. (No-IP, DyDNS, Samba, NFS)
After further research we discovered that the URL was posted before on some russian forum, but not mentioned as a vulnerability and specifying another model.