Software Engineering Institute

CWE-829: Inclusion of Functionality from Untrusted Control Sphere

The TP-LINK TL-WR841N wireless router web-based management interface contains a local file inclusion (LFI) vulnerability. The URL parameter is not properly sanitized before being parsed. It has been reported that TP-LINK TL-WR841N wireless router running firmware version: 3.13.9 Build 120201 Rel.54965n and below are affected.

An attacker with access to the TP-LINK TL-WR841N web interface could download critical configuration files off the device.

We are currently unaware of a practical solution to this problem.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent local file inclusion attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the TP-LINK TL-WR841N web interface using stolen credentials from a blocked network location.