Authentication bypass by including a magic string in the URL. The string isn’t exactly magic, rather it seems like this page (setcup.cgi) has a single file that needs to be access without authentication. So in an adhoc check, the application just looks for a string that is unique to that request line and turns off authentication. The problem being that it doesn’t check any of the context around that string.
todo=PNPX_GetShareFolderList is present anywhere in the request line then authentication will be turned off. This can be used to disclose files such as:
NETGEAR_D7000.cfgwhich contains the device configuration including a hashed admin password
BRS_swisscom_success.htmlwhich contains the plaintext admin password
Once the admin password has been disclosed then an attacker can authenticate with the device and enable Telnet for RCE.