Auth bypass: exposed CGI scripts
çSettings form is password-protected
¼i.e.: “/user_accounts.html”
çHowever, CGI script is publicly available
¼Can be identified in settings form’s ‘action’ attribute
çAttacker can change settings without password
¼Add new admin account
¼Enable remote admin access
¼Disable security settings
¼
¼