Sign-up

ID

VAR-201411-0508


TITLE

Netgear WNR500 Router ‘ webproc 'Local file contains vulnerabilities

Trust: 0.6

sources: CNNVD: CNNVD-201411-463

DESCRIPTION

Netgear WNR500 is a wireless router product from NetGear. A local file inclusion vulnerability exists in the Netgear WNR500 Router, which is caused by the program's insufficient filtering of user-submitted input. An attacker could use this vulnerability to obtain sensitive information and execute arbitrary local scripts to control applications and computers. Vulnerabilities in Netgear WNR500 using firmware version 1.0.7.2, other versions may also be affected. This could allow the attacker to compromise the application and the computer; other attacks are also possible. It is a simple, secure way to share yourInternet connection and allows you to easily surf the Internet, use email,and have online chats. The quick, CD-less setup can be done through a webbrowser. The small, efficient design fits perfectly into your home.The router suffers from an authenticated file inclusion vulnerability(LFI) when input passed thru the 'getpage' parameter to 'webproc' script isnot properly verified before being used to include files. This can be exploitedto include files from local resources with directory traversal attacks.Tested on: mini_httpd/1.19 19dec2003

Trust: 0.9

sources: CNNVD: CNNVD-201411-463 // BID: 70050 // ZSL: ZSL-2014-5208

AFFECTED PRODUCTS

vendor:netgearmodel:wnr500scope:eqversion:1.0.7.2

Trust: 0.3

vendor:netgearmodel:wireless router wnrscope:eqversion:wnr500 (firmware: 1.0.7.2)

Trust: 0.1

sources: ZSL: ZSL-2014-5208 // BID: 70050

CVSS

SEVERITY

CVSSV2

CVSSV3

ZSL: ZSL-2014-5208
value: (3/5)

Trust: 0.1

sources: ZSL: ZSL-2014-5208

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201411-463

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201411-463

EXPLOIT AVAILABILITY

sources:
            
            
            ZSL: ZSL-2014-5208

EXTERNAL IDS
db:BIDid:70050
Trust: 1.0
db:CNNVDid:CNNVD-201411-463
Trust: 0.6
db:ZSLid:ZSL-2014-5208
Trust: 0.4
db:PACKETSTORMid:129223
Trust: 0.1
db:CXSECURITYid:WLB-2014110148
Trust: 0.1
db:EXPLOIT-DBid:35325
Trust: 0.1
db:OSVDBid:114967
Trust: 0.1
sources:
            
            
            ZSL: ZSL-2014-5208 // 
            
            
            
            BID: 70050 // 
            
            
            
            CNNVD: CNNVD-201411-463

REFERENCES
url:http://www.securityfocus.com/bid/70050
Trust: 0.7
url:http://www.netgear.com/
Trust: 0.3
url:http://www.netgear.com/support_main.asp
Trust: 0.3
url:http://www.zeroscience.mk/en/vulnerabilities/zsl-2014-5208.php
Trust: 0.3
url:http://cxsecurity.com/issue/wlb-2014110148
Trust: 0.1
url:http://packetstormsecurity.com/files/129223
Trust: 0.1
url:http://www.exploit-db.com/exploits/35325/
Trust: 0.1
url:http://osvdb.org/show/osvdb/114967
Trust: 0.1
sources:
            
            
            ZSL: ZSL-2014-5208 // 
            
            
            
            BID: 70050 // 
            
            
            
            CNNVD: CNNVD-201411-463

CREDITS
Gjoko Krstic
Trust: 0.9
sources:
            
            
            BID: 70050 // 
            
            
            
            CNNVD: CNNVD-201411-463

SOURCES
db:ZSLid:ZSL-2014-5208
db:BIDid:70050
db:CNNVDid:CNNVD-201411-463

LAST UPDATE DATE
2022-10-19T22:35:26.185000+00:00

SOURCES UPDATE DATE
db:ZSLid:ZSL-2014-5208date:2014-11-25T00:00:00
db:BIDid:70050date:2014-11-21T00:00:00
db:CNNVDid:CNNVD-201411-463date:2014-11-25T00:00:00

SOURCES RELEASE DATE
db:ZSLid:ZSL-2014-5208date:2014-11-21T00:00:00
db:BIDid:70050date:2014-11-21T00:00:00
db:CNNVDid:CNNVD-201411-463date:2014-11-25T00:00:00