howto use wsal :

• wsal uses SHTTPD (Simple HTTPS v1.39 by Sergey Lyubka), with hardcoded CGI
• HTTP GET does not get the 200/OK response
• HTTP GET return the plain text from the required file
• requesting to GET a page not in the index breaks wsal
• everything is done using HTTP POST. this is how the pages are returned (200/OK)
• requesting (POST) a page (except login.html) without being logged in, redirects the to index.html
• to circumvent the login, request (POST) a hidden page. A session cookie will be set (and you will be redirected). use this cookie to request any page
• requesting (POST) any page outside the catalog does not break wsal

things to do with wsal:

• try REMOVE, DELETE and PUT requests (shttpd supports them)
• PUT can be either authorized or not authorized depending on if this is compiled with -DNO_AUTH or not (seems like they compiled with that to reduce binary size by 4kb)
• URL is removing ../ sequences from the URL before processing
• possible buffer overflow in put_dir()? assert from source code is missing in binary
  • from what I see they compiled the source with -DNDEBUG which removes all the assert code (shttpd source also mentions that this reduces the binary size around 5kb)
• large number of sprintf called in embedded CGIs but only in the *_to_html functions, so likely not processing user input at this point
• before passing a request to a cgi script all HTTP headers are added to the environment. does this allow us to overwrite any existing env variables and if, does it help us?
• shttpd has support for server side includes, one command for this among others is exec. I'm not sure though if SSI is enabled for any html page or it has to be a special URL that needs to get registered. If this is generally enabled in html files it might be interesting to combine this with a PUT requests that produces a html file.

from operator/web/ :

• help_contents.html
• help.html
• help_index.html
• login.html
• owner_network_dhcp_dis.html
• owner_network_dhcp_en.html
• owner_password_change.html
• owner_status_femto_hz_dis.html
• owner_status_femto_hz_en.html
• owner_status_ue.html

from ubiqfs/bin/htdocs/, access then with cust/ in the URL :

• error_no_db_parameters.html
• error_no_next_page.html
• help_contents.html
• help.html
• help_index.html
• index.html
• login.html
• mno_ui_diag_reset.html
• mno_ui_eng_paras_2gsniffprofile.html
• mno_ui_eng_paras_cellconf.html
• mno_ui_eng_paras_cellselect.html
• mno_ui_eng_paras_comch.html
• mno_ui_eng_paras_dlmmprofile.html
• mno_ui_eng_paras_gen.html
• mno_ui_eng_paras_handout.html
• mno_ui_eng_paras.html
• mno_ui_eng_paras_lacconf.html
• mno_ui_eng_paras_mmgmm.html
• mno_ui_eng_paras_neighgsm.html
• mno_ui_eng_paras_neighmacro.html
• mno_ui_eng_paras_neighzap.html
• mno_ui_eng_paras_rabpar.html
• mno_ui_eng_paras_rrctimers.html
• mno_ui_eng_paras_rrmstatus.html
• mno_ui_eng_paras_sniffprofile.html
• mno_ui_eng_paras_uetimers.html
• mno_ui_metrics_perf.html
• mno_ui_nw_acs.html
• mno_ui_nw_cn_gw.html
• mno_ui_nw_ip_timing.html
• mno_ui_nw_ip_timing_servers_edit.html
• mno_ui_nw_ip_timing_servers.html
• mno_ui_nw_psoff_apn.html
• mno_ui_nw_psoff_dis.html
• mno_ui_nw_psoff_en.html
• mno_ui_nw_ran_gw.html
• mno_ui_nw_status.html
• mno_ui_rabpar_hsdpa.html
• mno_ui_rabpar_multi.html
• mno_ui_rabpar_phych.html
• mno_ui_rabpar_single.html
• mno_ui_status_addue_gan.html
• mno_ui_status_addue_ietf_sip.html
• mno_ui_status_addue_ims_sip.html
• mno_ui_status_event_log.html
• mno_ui_status_sw_status.html
• mno_ui_status_ue_status_gan.html
• mno_ui_status_ue_status.html
• mno_ui_status_ue_status_ietf_sip.html
• mno_ui_status_ue_status_ims_sip.html
• mno_ui_status_zap_status.html
• owner_network_dhcp_dis.html
• owner_network_dhcp_en.html
• owner_password_change.html
• owner_status_femto_hz_dis.html
• owner_status_femto_hz_en.html
• owner_status_ue.html
• services_ui_presence.html
• technician_ui_diag_reset.html
• technician_ui_eng_paras_2gsniffprofile.html
• technician_ui_eng_paras_cellconf.html
• technician_ui_eng_paras_cellselect.html
• technician_ui_eng_paras_comch.html
• technician_ui_eng_paras_dlmmprofile.html
• technician_ui_eng_paras_gen.html
• technician_ui_eng_paras_handout.html
• technician_ui_eng_paras.html
• technician_ui_eng_paras_lacconf.html
• technician_ui_eng_paras_mmgmm.html
• technician_ui_eng_paras_neighgsm.html
• technician_ui_eng_paras_neighmacro.html
• technician_ui_eng_paras_neighzap.html
• technician_ui_eng_paras_rabpar.html
• technician_ui_eng_paras_rrctimers.html
• technician_ui_eng_paras_rrmstatus.html
• technician_ui_eng_paras_sniffprofile.html
• technician_ui_eng_paras_uetimers.html
• technician_ui_metrics_perf.html
• technician_ui_nw_acs.html
• technician_ui_nw_cn_gw.html
• technician_ui_nw_ip_timing.html
• technician_ui_nw_ip_timing_servers_edit.html
• technician_ui_nw_ip_timing_servers.html
• technician_ui_nw_psoff_apn.html
• technician_ui_nw_psoff_dis.html
• technician_ui_nw_psoff_en.html
• technician_ui_nw_ran_gw.html
• technician_ui_nw_status.html
• technician_ui_rabpar_hsdpa.html
• technician_ui_rabpar_multi.html
• technician_ui_rabpar_phych.html
• technician_ui_rabpar_single.html
• technician_ui_status_addue_gan.html
• technician_ui_status_addue_ietf_sip.html
• technician_ui_status_addue_ims_sip.html
• technician_ui_status_event_log.html
• technician_ui_status_sw_status.html
• technician_ui_status_ue_status_gan.html
• technician_ui_status_ue_status.html
• technician_ui_status_ue_status_ietf_sip.html
• technician_ui_status_ue_status_ims_sip.html
• technician_ui_status_zap_status.html