Summary

It is possible to bypass the authentication mechanism of NetAlertX to update settings without authentication. This vulnerability bypass the fix made for CVE-2024-46506.

Details

The vulnerability leverages an include chain originating from index.php.
Specifically, index.php includes php/server/init.php, which in turn includes the sensitive php/server/util.php script responsible for tasks like settings updates.
While util.php attempts to enforce authentication by including templates/security.php, this security check is bypassed when the request is made directly to /index.php.
The templates/security.php logic does not mandate authentication or redirection for requests targeting /index.php.

Consequently, an attacker can trigger sensitive functions within util.php by sending crafted requests to /index.php, effectively achieving the same outcome as CVE-2024-46506 (e.g., updating settings) but via a different, unauthenticated entry point (/index.php instead of util.php).

PoC

Please find the Proof of Concept script enclosed. This script demonstrates the vulnerability by first disabling password authentication and then initiating a reverse shell connection to the listener IP address 10.10.1.32 on port 1234 (see line 798 on params.json).
netalertxploit.zip