mirror of
https://github.com/iamromulan/quectel-rgmii-toolkit.git
synced 2026-04-25 22:55:50 +03:00
[GH-ISSUE #175] [SDXPINN] [IN BETA] [QuecManager] [WIP-Tracking] Authentication screen doesn't restrict access - critical scripts exposed #59
Labels
No labels
pull-request
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/quectel-rgmii-toolkit#59
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @grapexy on GitHub (Jul 25, 2025).
Original GitHub issue: https://github.com/iamromulan/quectel-rgmii-toolkit/issues/175
Originally assigned to: @clndwhr on GitHub.
While testing QuecManager, I noticed that the authentication screen doesn’t actually enforce anything. You can access and run critical scripts directly without logging in.
For example, calling this:
…will reboot the modem - no auth required.
There are several other .sh scripts exposed in the same way. This could be risky not just if the interface is exposed to the internet, but even on a local network - any rogue device could hit those endpoints and potentially break things or reconfigure the modem silently, or even execute custom shell commands and do full takeover. And since this is running as root, well, opportunities are endless.
Looks like the auth UI is purely cosmetic right now. Definitely worth locking this down before someone runs into trouble.
Thanks!
@clndwhr commented on GitHub (Jul 25, 2025):
Great find! This holds the same for SA2, we'll start working a solution to rectify this security hole.
Thank you greatly!
@dr-dolomite commented on GitHub (Jul 25, 2025):
We are aware of this and a better auth will be implemented. Thanks!
@clndwhr commented on GitHub (Jul 27, 2025):
Code changes are in testing phase at this time.
@MiG-41 commented on GitHub (Jul 28, 2025):
So when will be able to install it from Luci/Software ?
So far i have:
@iamromulan commented on GitHub (Jul 31, 2025):
It's available as the beta package now on development-SDXPINN, we are still testing it.
If you want to try it sooner edit your OPKG config under custom sources. Edit the URL to be development-SDXPINN instead of SDXPINN and then update lists again.
@MiG-41 commented on GitHub (Jul 31, 2025):
Thanks , was possible to update to 2.2.4... However something is broken with loging ( rebot not require to login again ) , and was not possible to set bands. So moved back to 2.2.3 again.
@clndwhr commented on GitHub (Jul 31, 2025):
@MiG-41, band and cell lock got "broke" on this initial release. The fixes have been applied, were working some processes out for ensuring a good build is created before releasing the fix for this.
@MiG-41 commented on GitHub (Aug 1, 2025):
Sure, if new fixes aprear for sure i would like to test them.
@clndwhr commented on GitHub (Aug 2, 2025):
@MiG-41, 2.2.5 beta is updated.l with these fixes
@clndwhr commented on GitHub (Aug 2, 2025):
@iamromulan, at your discretion, imo this can now be closed
@iamromulan commented on GitHub (Aug 2, 2025):
Will remain open until out of beta
@clndwhr commented on GitHub (Aug 31, 2025):
Functionality now restricted and part of QuecManager 2.3.0+ release