Tenda i6 Path Traversal Vulnerability in HTTP Handler

A critical path traversal vulnerability has been identified in the Tenda i6 router, specifically in version 1.0.0.7(2204). The issue arises in the R7WebsSecurityHandlerfunction, which manages HTTP requests by implementing a URL prefix whitelist to allow unauthenticated access to certain static resources. However, the function fails to properly validate or canonicalize the URL paths, enabling remote attackers to exploit this weakness. By crafting a request that includes directory traversal sequences, attackers can bypass authentication and access sensitive files, such as the system_upgrade.asp page, which contains administrative functions.

Impact

Exploitation of this vulnerability allows for unauthenticated access to sensitive resources and administrative interfaces on the router.

Reproduction

To reproduce this vulnerability, send an HTTP GET request to the Tenda i6 router's web interface. Include a URL path that starts with a whitelisted prefix, such as '/public/', followed by directory traversal sequences ('../') to escape the restricted directory. The request will bypass authentication and grant access to sensitive files.