Summary

An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including V7.7. The server validates management session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization. This allows directory traversal in the cookie value and can cause the server to treat an unauthenticated request as authenticated.

Classification

• Vulnerability type: Authentication bypass via path traversal in cookie validation
• CWE: CWE-22, Improper Limitation of a Pathname to a Restricted Directory
• CWE: CWE-287, Improper Authentication

Affected Product

• Vendor: Beijing Panabit Network Software Co., Ltd
• Product: PanabitAP PAP-XM320
• Affected versions: up to and including V7.7
• Firmware download reference: https://download.panabit.com:9443/?product=ap

Affected Component

• Embedded HTTP service: /usr/sbin/piw-httpd
• Web management session cookie validation logic

Vulnerability Details

The device uses a session cookie format similar to:

apuser_<boot_time>=<cookie_value>

During normal login, the device creates a session file under /usr/ramdisk/weblogin/ and sets a cookie whose value corresponds to that file. The HTTP service then validates later requests by checking whether a file matching the cookie value exists.

The normal login flow is equivalent to:

ckinfo="paonline_${CGI_username}_$$_${logintime}"
ckfile="${PIW_WWW}/weblogin/${ckinfo}"
echo "ip=${REMOTE_ADDR}" > "${ckfile}"
echo "user=${CGI_username}" >> "${ckfile}"
echo "logintime=$(date +%Y.%m.%d/%H:%M:%S)" >> "${ckfile}"
printf "Set-Cookie: apuser_${bootime}=${ckinfo};Path=/;\\r\\n"