/a

[Ahmed Ensar]

Google Translate:

Why does the user account without command interface authority have permission to enter this page and execute commands?

[eralde]

2 часа назад, Ahmed Ensar сказал:

Google Translate:

Why does the user account without command interface authority have permission to enter this page and execute commands?

 

This tag

tag http

allows the "test" user to use the web UI. It also automatically allows the user to make REST API calls.

The page where you enter the command in your screenshot uses this API to communicate with the device.
 

We probably can lock this page from the "readonly" users, but any of those users will still be able

to open a new tab in the browser and read parts of the configuration (e.g. my.keenetic.net/rci/user -- list of users with tags)

 

[Ahmed Ensar]

28 minutes ago, eralde said:

This tag

tag http

allows the "test" user to use the web UI. It also automatically allows the user to make REST API calls.

The page where you enter the command in your screenshot uses this API to communicate with the device.
 

We probably can lock this page from the "readonly" users, but any of those users will still be able

to open a new tab in the browser and read parts of the configuration (e.g. my.keenetic.net/rci/user -- list of users with tags)

 

Google Translate:

I hope they fix these vulnerabilities. 

[Le ecureuil]

В 05.06.2021 в 18:24, Ahmed Ensar сказал:

Google Translate:

I hope they fix these vulnerabilities. 

This is not the vulnerability. Read-only tag enforces firmware to block modifying commands, but read-only commands (and reading configs / files for example) explicitly allowed. This is by design and cannot be changed. Probably you haven't understood what the 'read-only' tags means in real.

Try to execute any modifying command and you will see.