Telstra Smart Modem Gen 2 HTTP Response Header Injection Vulnerability

A vulnerability exists in the Telstra Smart Modem Gen 2, in versions prior to 20250115, allowing for HTTP response header injection. This issue arises from user-supplied data being improperly validated and sanitized before being inserted into the Content-Disposition header. The vulnerability can be exploited remotely without authentication, potentially enabling attackers to manipulate HTTP headers and inject malicious payloads into server responses.

Impact

Exploitation of this vulnerability allows for HTTP response header injection, which can be used to manipulate response headers or inject content into the response body. This could include setting cookies with malicious values or injecting HTML or JavaScript, creating a cross-site scripting risk.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP GET request to the modem's HTTP(S) remote access webpage, targeting the robots.txt resource. The request must include a payload in the URL path that exploits the Content-Disposition header injection flaw, such as one that includes control characters to disrupt the header structure.

Remediation

No specific mitigation measures are known, but it is recommended to sanitize user input before it is added to HTTP headers, reject input with control characters or other unsafe combinations, and encode user input to neutralize special characters.