Tenda CH22 Path Traversal Vulnerability in R7WebsSecurityHandler

A path traversal vulnerability has been identified in the Tenda CH22 router running firmware version 1.0.0.1. The issue arises in the R7WebsSecurityHandler function, which serves as a security filter for HTTP requests. The function allows unauthenticated access to certain URL prefixes, including '/public/'. However, it fails to properly validate or canonicalize the URL path, enabling remote attackers to exploit this weakness by sending crafted HTTP requests that traverse directories and access sensitive files. For instance, a request to '/public/../../system_upgrade.asp' can bypass authentication and grant administrative access.

Impact

Exploitation of this vulnerability allows unauthorized users to access restricted files and directories, potentially leading to unauthorized administrative access on the router.

Reproduction

To reproduce this vulnerability, send an HTTP GET request to the router's IP address targeting the '/public/' directory. Include directory traversal sequences in the URL to escape the restricted directory and access sensitive files, such as 'system_upgrade.asp', which can grant administrative privileges.