Grandstream GXP1628 Incorrect Access Control Vulnerability Allowing Unauthorized Directory Listing

A vulnerability in the Grandstream GXP1628 VoIP phone, running firmware through version 1.0.4.130, allows for incorrect access control that enables directory listing. This misconfiguration permits unauthorized users to access sensitive directories and files, potentially exposing critical information such as configuration files and logs, which could be used for further attacks.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files, including configuration and log data, with the potential for additional attacks such as information disclosure or system compromise.

Reproduction

To reproduce this vulnerability, navigate to the device's IP address and append '/webapp/', '/cgi-bin/', or '/json/contents/' to the URL. The device will respond with a directory listing that includes files not meant to be publicly accessible. Once the sensitive files are identified, they can be accessed directly.

Remediation

Users are advised to disable directory listing in the device's web server configuration and to check for any available firmware updates from Grandstream that address this vulnerability.