Holes in Embedded Devices: Authentication bypass (pt 4)

This kind of authentication bypass bug can go easily undetected during a security assessment if not enough attention is paid. In order to understand this type of vulnerability, we need to be familiar with settings pages available on devices’ web interface that allow the admin user to modify settings.

Administrative web interfaces have different sections/menus available to logged-in administrators. Each section is just a HTML page with a form designed to make configuration changes. [...]

more | comments | comments rss | posted by