Full title: NetGear WNDR Authentication Bypass / Information Disclosure Vulnerabilities 
Category: web applications
Platform: hardware
A number of NetGear WNDR devices contain an embedded SOAP service that is seemingly for use with the NetGear Genie application. As this SOAP service is implemented by the built-in HTTP / CGI daemon, unauthenticated queries will also be answered over the internet if remote management has been enabled on the device. As a result, affected devices can be interrogated and hijacked with as little as a well placed HTTP query. Proof of concept included.

# 0day.today @ http://0day.today/