VAR-200906-0230
Vulnerability from variot - Updated: 2025-04-10 22:56Directory traversal vulnerability in cgi-bin/webcm in the administrative web interface on the Netgear DG632 with firmware 3.4.0_ap allows remote attackers to list arbitrary directories via a .. (dot dot) in the nextpage parameter. NetGear DG632 router is prone to multiple remote vulnerabilities. The Netgear DG632 router runs a web interface on port 80, allowing administrators to log in and manage the device's settings. Authentication to this web interface is handled by a script named webcm in /cgi-bin/, which redirects to relevant pages based on the user's authentication status. The webcm script handles user authentication and tries to load indextop.htm via the following javascript. The indextop.htm page requires HTTP Basic Authentication. --- function loadnext() { //document.forms[0].target.value="top"; document.forms[0].submit() ; //top.location.href="../cgi-bin/webcm?nextpage=../html/indextop.htm"; } Loading file ... --- If a valid username for the default admin user is provided, the script will continue to load the indextop.htm page and load other frames based on hidden fields; if the user authentication fails, it will return to "../cgi-bin/webcm" . Normal use: http://TARGET_IP/cgi-bin/webcm?nextpage=../html/stattbl.htm This will ask the user to authenticate and deny access to this file if the authentication details are unknown. The same stattbl.htm file can be accessed without providing any credentials using the following URL: http://TARGET_IP/html/stattbl.htm
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200906-0230",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dg632",
"scope": "eq",
"trust": 1.6,
"vendor": "netgear",
"version": "3.4.0_ap"
},
{
"model": "dg632",
"scope": "eq",
"trust": 1.0,
"vendor": "netgear",
"version": null
},
{
"model": "dg632",
"scope": null,
"trust": 0.8,
"vendor": "net gear",
"version": null
},
{
"model": "dg632",
"scope": "eq",
"trust": 0.8,
"vendor": "net gear",
"version": "3.4.0_ap"
},
{
"model": "dg632 3.4.0 ap",
"scope": null,
"trust": 0.3,
"vendor": "netgear",
"version": null
},
{
"model": "dg632",
"scope": "eq",
"trust": 0.3,
"vendor": "netgear",
"version": "0"
}
],
"sources": [
{
"db": "BID",
"id": "35376"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-004773"
},
{
"db": "CNNVD",
"id": "CNNVD-200906-442"
},
{
"db": "NVD",
"id": "CVE-2009-2258"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/h:netgear:dg632",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:netgear:dg632_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-004773"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Tom Neaves",
"sources": [
{
"db": "BID",
"id": "35376"
},
{
"db": "CNNVD",
"id": "CNNVD-200906-442"
}
],
"trust": 0.9
},
"cve": "CVE-2009-2258",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CVE-2009-2258",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-39704",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2009-2258",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2009-2258",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-200906-442",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-39704",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-39704"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-004773"
},
{
"db": "CNNVD",
"id": "CNNVD-200906-442"
},
{
"db": "NVD",
"id": "CVE-2009-2258"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Directory traversal vulnerability in cgi-bin/webcm in the administrative web interface on the Netgear DG632 with firmware 3.4.0_ap allows remote attackers to list arbitrary directories via a .. (dot dot) in the nextpage parameter. NetGear DG632 router is prone to multiple remote vulnerabilities. The Netgear DG632 router runs a web interface on port 80, allowing administrators to log in and manage the device\u0027s settings. Authentication to this web interface is handled by a script named webcm in /cgi-bin/, which redirects to relevant pages based on the user\u0027s authentication status. The webcm script handles user authentication and tries to load indextop.htm via the following javascript. The indextop.htm page requires HTTP Basic Authentication. --- \u003cscript language=\"javascript\" type=\"text/javascript\"\u003e function loadnext() { //document.forms[0].target.value=\"top\"; document.forms[0].submit() ; //top.location.href=\"../cgi-bin/webcm?nextpage=../html/indextop.htm\"; }\u003c/script\u003e\u003c/head\u003e \u003cbody bgcolor=\"#ffffff\" onload= \"loadnext()\" \u003e Loading file ... \u003cform method=\"POST\" action=\"../cgi-bin/webcm\" id=\"uiPostForm\"\u003e \u003cinput type=\"hidden\" name=\"nextpage\" value= \"../html/indextop.htm\" id=\"uiGetNext\"\u003e \u003c/form\u003e --- If a valid username for the default admin user is provided, the script will continue to load the indextop.htm page and load other frames based on hidden fields; if the user authentication fails, it will return to \"../cgi-bin/webcm\" . Normal use: http://TARGET_IP/cgi-bin/webcm?nextpage=../html/stattbl.htm This will ask the user to authenticate and deny access to this file if the authentication details are unknown. The same stattbl.htm file can be accessed without providing any credentials using the following URL: http://TARGET_IP/html/stattbl.htm",
"sources": [
{
"db": "NVD",
"id": "CVE-2009-2258"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-004773"
},
{
"db": "BID",
"id": "35376"
},
{
"db": "VULHUB",
"id": "VHN-39704"
}
],
"trust": 1.98
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-39704",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-39704"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2009-2258",
"trust": 2.8
},
{
"db": "EXPLOIT-DB",
"id": "8963",
"trust": 1.7
},
{
"db": "SECTRACK",
"id": "1022404",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2009-004773",
"trust": 0.8
},
{
"db": "MILW0RM",
"id": "8963",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20090615 NETGEAR DG632 ROUTER AUTHENTICATION BYPASS VULNERABILITY",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200906-442",
"trust": 0.6
},
{
"db": "BID",
"id": "35376",
"trust": 0.3
},
{
"db": "VULHUB",
"id": "VHN-39704",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-39704"
},
{
"db": "BID",
"id": "35376"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-004773"
},
{
"db": "CNNVD",
"id": "CNNVD-200906-442"
},
{
"db": "NVD",
"id": "CVE-2009-2258"
}
]
},
"id": "VAR-200906-0230",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-39704"
}
],
"trust": 0.01
},
"last_update_date": "2025-04-10T22:56:34.133000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.netgear.com/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-004773"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-22",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-39704"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-004773"
},
{
"db": "NVD",
"id": "CVE-2009-2258"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.0,
"url": "http://www.tomneaves.co.uk/netgear_dg632_authentication_bypass.txt"
},
{
"trust": 1.7,
"url": "http://securitytracker.com/id?1022404"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/504312/100/0/threaded"
},
{
"trust": 1.1,
"url": "http://www.exploit-db.com/exploits/8963"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2258"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-2258"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/504312/100/0/threaded"
},
{
"trust": 0.6,
"url": "http://www.milw0rm.com/exploits/8963"
},
{
"trust": 0.3,
"url": "http://www.netgear.com/"
},
{
"trust": 0.3,
"url": "http://www.tomneaves.co.uk/netgear_dg632_remote_dos.txt"
},
{
"trust": 0.3,
"url": "/archive/1/504312"
},
{
"trust": 0.3,
"url": "/archive/1/504313"
},
{
"trust": 0.3,
"url": "/archive/1/504341"
},
{
"trust": 0.3,
"url": "/archive/1/504345"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-39704"
},
{
"db": "BID",
"id": "35376"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-004773"
},
{
"db": "CNNVD",
"id": "CNNVD-200906-442"
},
{
"db": "NVD",
"id": "CVE-2009-2258"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-39704"
},
{
"db": "BID",
"id": "35376"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-004773"
},
{
"db": "CNNVD",
"id": "CNNVD-200906-442"
},
{
"db": "NVD",
"id": "CVE-2009-2258"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2009-06-30T00:00:00",
"db": "VULHUB",
"id": "VHN-39704"
},
{
"date": "2009-06-15T00:00:00",
"db": "BID",
"id": "35376"
},
{
"date": "2012-09-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2009-004773"
},
{
"date": "2009-06-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200906-442"
},
{
"date": "2009-06-30T10:30:21.813000",
"db": "NVD",
"id": "CVE-2009-2258"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-10T00:00:00",
"db": "VULHUB",
"id": "VHN-39704"
},
{
"date": "2009-07-09T20:36:00",
"db": "BID",
"id": "35376"
},
{
"date": "2012-09-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2009-004773"
},
{
"date": "2009-09-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200906-442"
},
{
"date": "2025-04-09T00:30:58.490000",
"db": "NVD",
"id": "CVE-2009-2258"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200906-442"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Netgear DG632 Management running on top Web Directory traversal vulnerability in the interface",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-004773"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "path traversal",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200906-442"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…