High June 17, 2012
Path traversal in TP-LINK WR740 and possibly others
TP-Link WR740 routers are vulnerable to a path traversal vulnerability on the web administration interface. Unauthenticated users are able to read any file from the device.
CVSS Score
7.5 / 10.0
Severity
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Advisory
| Vendor | TP-Link |
| Models | WR740N, WR740ND, WR743ND, WR842ND, WA-901ND, WR941N, WR941ND, WR1043ND, WR2543ND, MR3220, MR3020, WR841N |
| Firmware | 3.12.11 Build 111130 Rel.55312n and possibly others |
| Impact | Disclosure of configuration and password files |
| Attack Vector | Remote, no authentication required |
Description
The TP-Link WR740ND / WR740N exposes a web management interface on port 80. The URI /help is affected by a path traversal vulnerability that lets an unauthenticated attacker read arbitrary files from the device, including configuration files containing credentials.
If the device has been configured with services such as No-IP, DynDNS, Samba, or NFS, their configuration files (and their credentials) are readable over the same endpoint.
Remediation
No vendor fix. Disable WAN-side HTTP administration; upgrade if patched firmware is released.