Bluewavenet

**Name of the Vulnerable Software and Affected Versions** OpenNDS Captive Portal versions prior to 10.1.2 **Description** An issue in OpenNDS Captive Portal can be triggered with a crafted GET HTTP request with a missing `client redirect` query string parameter, resulting in a NULL pointer dereference. This can cause OpenNDS to crash, leading to a Denial-of-Service condition. The issue occurs during client authentication and can only be triggered when the `BinAuth` option is set. **Recommendations** For OpenNDS Captive Portal versions prior to 10.1.2, update to version 10.1.3 to resolve the issue. As a temporary workaround, consider disabling the `BinAuth` option until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the `client redirect` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenNDS Captive Portal versions prior to 10.1.2 OpenNDS Captive Portal version 10.1.2 is not affected as the issue is fixed in version 10.1.3. **Description** An issue was discovered in OpenNDS Captive Portal that has a NULL pointer dereference in the `preauthenticated()` function. This can be triggered with a crafted GET HTTP request with a missing `redirect` query string parameter. Triggering this issue results in crashing OpenNDS, leading to a Denial-of-Service condition. **Recommendations** For OpenNDS Captive Portal versions prior to 10.1.2, update to version 10.1.3 to resolve the issue. As a temporary workaround, consider restricting access to the `preauthenticated()` function until a patch is available. Avoid using the `redirect` query string parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenNDS Captive Portal versions prior to 10.1.2 **Description** An issue in OpenNDS Captive Portal can be triggered with a crafted GET HTTP request that has a missing `client token` query string parameter, resulting in a NULL pointer dereference in the `try to authenticate` function. This can cause OpenNDS to crash, leading to a Denial-of-Service condition. **Recommendations** For OpenNDS Captive Portal versions prior to 10.1.2, update to version 10.1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoint until the update is applied.

**Name of the Vulnerable Software and Affected Versions** OpenNDS Captive Portal versions prior to 10.1.2 OpenNDS Captive Portal version 10.1.2 is not affected, as the issue is fixed in version 10.1.3. **Description** An issue was discovered in OpenNDS Captive Portal. When the custom unescape callback is enabled, attackers can execute arbitrary OS commands by inserting them into the URL portion of HTTP GET requests. **Recommendations** For OpenNDS Captive Portal versions prior to 10.1.2, update to version 10.1.3 to resolve the issue. As a temporary workaround, consider disabling the custom unescape callback until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OpenNDS Captive Portal versions prior to 10.1.2 **Description** An issue in OpenNDS Captive Portal can be triggered with a crafted GET HTTP request that has a missing `User-Agent` header, resulting in a NULL pointer dereference. This can cause OpenNDS to crash, leading to a Denial-of-Service condition. **Recommendations** For versions prior to 10.1.2, update OpenNDS to version 10.1.3 to resolve the issue. As a temporary workaround, consider restricting access to the `show preauthpage` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OpenNDS Captive Portal versions prior to 10.1.2 **Description** An issue in OpenNDS Captive Portal can be triggered with a crafted GET HTTP request with a missing User-Agent HTTP header, resulting in a NULL pointer dereference. This can cause OpenNDS to crash, leading to a Denial-of-Service condition. The issue occurs during client authentication and can only be triggered when the BinAuth option is set. **Recommendations** For OpenNDS Captive Portal versions prior to 10.1.2, update to version 10.1.3 or later to resolve the issue. As a temporary workaround, consider disabling the BinAuth option until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the `User-Agent` header in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenNDS versions prior to 10.1.2 OpenNDS Captive Portal versions prior to 10.1.2 **Description** An issue was discovered in OpenNDS that allows users to skip the splash page sequence and directly authenticate when it is using the default FAS key and OpenNDS is configured as FAS. **Recommendations** For OpenNDS versions prior to 10.1.2, update to version 10.1.3 or later to resolve the issue. For OpenNDS Captive Portal versions prior to 10.1.2, update OpenNDS to version 10.1.3 or later, as fixed in OpenWrt master, OpenWrt 23.05, and OpenWrt 22.03.