Recent Vulnerabilities Research Posts Trends Blog About Contact

Published: 14/08/2009 Updated: 19/09/2017

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 755

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

httpd.c in httpd in the management GUI in DD-WRT 24 sp1 does not require administrative authentication for programs under cgi-bin/, which allows remote malicious users to change settings via HTTP requests.

Vulnerable Product	Search on Vulmon	Subscribe to Product
dd-wrt dd-wrt 24

This is a remote root vulnerability in DD-WRT's httpd server The bug exists at the latest 24 sp1 version of the firmware The problem is due to many bugs and bad software design decisions Here is part of httpdc: 859 if (containsstring(file, "cgi-bin")) { 860 861 auth_fail = 0; 862 if (!do_auth 86 ...

CWE-264 http://www.dd-wrt.com/phpBB2/viewtopic.php?t=55173 http://www.exploit-db.com/exploits/9209 https://nvd.nist.gov https://www.exploit-db.com/exploits/9209/

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2009-2766

Vulnerability Summary

Exploits

References

Vulmon Search

About

Products

Connect