Tenda CH22 Path Traversal Vulnerability in httpd Component

A path traversal vulnerability has been identified in the Tenda CH22 router, specifically in the 1.0.0.6(468) firmware version. The issue arises within the R7WebsSecurityHandlerfunction of the httpd component, where the application fails to properly validate or canonicalize URL paths. This flaw allows unauthenticated remote attackers to send crafted HTTP requests that bypass authentication and access sensitive resources, such as administrative interfaces and confidential information. The vulnerability exploits a URL prefix whitelist intended to control access to static resources, but the lack of proper validation enables traversal sequences to escape restricted directories and reach sensitive files.

Impact

Exploitation of this vulnerability allows for unauthenticated access to sensitive resources and administrative functions on the router.

Reproduction

To reproduce this vulnerability, send an HTTP GET request to the Tenda CH22 router's web server, targeting a URL that begins with a whitelisted prefix, such as '/public/'. Include directory traversal sequences, like '../', to escape the restricted directory and access sensitive files, such as 'system_upgrade.asp'. The request will bypass authentication and grant access to administrative functions.