CVE-2020-12447

An unauthenticated attacker on the same network sends an HTTP request to any of the device's web servers (e.g., port 8080) with the path containing URL-encoded directory traversal sequences such as `%2e%2e%2f` (which decodes to `../`). By repeating this sequence, the attacker can traverse back to the root of the filesystem and then request sensitive files like `/etc/shadow` [ref_id=1]. The advisory notes that a "weakly implemented filter can be bypassed with basic URL encoding techniques" [ref_id=1].

The built-in web server(s) on the Onkyo TX-NR585 (firmware version 1000-0000-000-0008-0000) are vulnerable. The advisory does not specify a particular file or function name, but the flaw exists in the URL path handling of the web server(s) listening on ports such as 80, 5000, 8008, 8080, and 8888 [ref_id=1].

No patch or vendor advisory is included in the bundle. The researcher's write-up does not describe any remediation from the vendor. To close the vulnerability, the web server should validate and sanitize incoming URL paths, rejecting or neutralizing any directory traversal sequences (including URL-encoded variants like `%2e%2e%2f`) before accessing the filesystem.

1. Locate the Onkyo receiver on the network (e.g., via `nmap -sT -vvv 192.168.0.80`). 2. Capture an HTTP request to any of the device's web servers (e.g., port 8080) in Burp Suite and send it to Repeater. 3. Modify the URL path to include `%2e%2e%2f` sequences to traverse back to the root of the filesystem, then request a sensitive file such as `/etc/shadow`. 4. Observe the file contents in the response, confirming LFI [ref_id=1].