D-Link DIR-852 Information Disclosure Vulnerability via Authentication Bypass

An authentication bypass vulnerability has been identified in the D-Link DIR-852 router, specifically in versions through 1.00CN B09. This vulnerability resides in the 'phpcgi_main' function of the '/getcfg.php' file, part of the Device Configuration Handler component. The issue allows for unauthorized access to sensitive information by manipulating POST request parameters. Exploitation can be performed remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability leads to unauthorized information disclosure, allowing attackers to access sensitive device configuration data, including administrator account credentials.

Reproduction

To reproduce this vulnerability, send a POST request to '/getcfg.php' with the 'SERVICES' parameter set to request specific device configuration files. Include a newline character to inject a forged 'AUTHORIZED_GROUP' value, bypassing the authentication check. The injected value will be processed first, allowing access to the requested information.

Remediation

It is recommended to implement restrictive firewall rules to block unauthorized access to the vulnerable device.