Tenda W15E Incorrect Access Control Vulnerability Allowing Sensitive Information Disclosure

A vulnerability allowing incorrect access control has been identified in the Tenda W15E router, specifically in version V02.03.01.26_cn. This vulnerability enables unauthenticated attackers to access the /cgi-bin/DownloadCfg/RouterCfm.jpg endpoint, which, despite its .jpg extension, delivers the router's configuration file. This file contains plaintext administrator credentials, including the admin password and Wi-Fi details. The exposure of these credentials could lead to unauthorized remote administrative access.

Impact

Exploitation of this vulnerability allows attackers to download the router's configuration file, which includes plaintext administrator credentials. This could result in unauthorized access to the router's administrative functions.

Reproduction

To reproduce this vulnerability, send an HTTP GET request to the /cgi-bin/DownloadCfg/RouterCfm.jpg endpoint on the target Tenda W15E router. The request can be made using a web browser or a tool like curl. Ensure that the router's IP address is specified in the request. The configuration file will be returned as a response, containing sensitive information such as the admin password and Wi-Fi credentials.