(Archer XR500v) Web interface exposes controls to unauthenticated clients
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
(Archer XR500v) Web interface exposes controls to unauthenticated clients
Model:
Adapter
Hardware Version:
Firmware Version: 1.1.0 0.8.0 v5009.0 Build 200529 Rel.59796n
Steps to reproduce:
- The default port is 80. Change it to anything else, like 8888.
-
On a client system, add the following to /etc/hosts (replace ip_address with your public IP):
ip_address example.com - Access the web interface like this: "example.com:8888"
Expected result:
The usual login form
Actual result:
A broken web page (missing CSS and JS) that offers, without any form of authentication, a button to reboot the device, and a form to redefine a user's password.
TP-Link technical support dismissed this as "not a bug", so I'm documenting it here.
Current workaround:
Use the default port (80).
Screenshot:
1 Accepted Solution