Vulnerability Note VU#185100
TP-LINK TL-WR841N wireless router local file inclusion vulnerability
Overview
The TP-LINK TL-WR841N wireless router contains a local file inclusion vulnerability which could allow an attacker to download critical configuration files off the device.
Description
CWE-829: Inclusion of Functionality from Untrusted Control Sphere The TP-LINK TL-WR841N wireless router web-based management interface contains a local file inclusion (LFI) vulnerability. The URL parameter is not properly sanitized before being parsed. It has been reported that TP-LINK TL-WR841N wireless router running firmware version: 3.13.9 Build 120201 Rel.54965n and below are affected. |
Impact
An attacker with access to the TP-LINK TL-WR841N web interface could download critical configuration files off the device. |
Solution
We are currently unaware of a practical solution to this problem. |
Restrict access |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| TP-Link | Affected | - | 07 Jan 2013 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 4.3 | AV:N/AC:M/Au:N/C:P/I:N/A:N |
| Temporal | 3.1 | E:U/RL:W/RC:UC |
| Environmental | 0.9 | CDP:L/TD:L/CR:ND/IR:ND/AR:ND |
References
- http://www.tp-link.com/en/products/details/?model=TL-WR841N
- http://cwe.mitre.org/data/definitions/829.html
Credit
Thanks to Matan Azugi for reporting this vulnerability.
This document was written by Michael Orlando.
Other Information
- CVE IDs: CVE-2012-6276
- Date Public: 11 Jan 2013
- Date First Published: 11 Jan 2013
- Date Last Updated: 11 Jan 2013
- Document Revision: 7
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.