An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending ?images to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Gpon_router_firmware | Dasannetworks | - (including) | - (including) |