0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Conceptronic Wireless Pan & Tilt Network Camera - CSRF Vulnerability
Author
Risk
![](/img/risk/critlow_1.gif)
Security Risk Low
]0day-ID
Category
Date add
CVE
Platform
Affected Product: Conceptronic camera CIPCAMPTIWL Tested Firmware: 21.37.2.49 Tested Web UI Firmware: 0.61.4.18 Assigned CVE: CVE-2013-7204 CVSSv2 Base Score: 5.8 (AV:N/AC:M/AU:N/C:P/I:P/A:N) Vulnerability Type: Cross-Site Request Forgery [CWE-352] Solution Status: Not Fixed Vendor Notification Timeline: - 23/12/2013: Contacting with technical support through their web form http://www.conceptronic.net/supcon.php?action=init - 23/12/2013: Contacting with general information email addres (info@conceptronic.net) to inform about the vulnerability and request suitable security or technical contact to send the complete details of the CSRF. - 25/12/2013: Contacting with public twitter accounts @conceptronic and @conceptronic_es to request suitable security or technical contact to send the complete details of the CSRF. - 28/12/2013: Recontacting the technical support. - 28/12/2013: Recontacting general information address info@conceptronic.net. - 02/01/2014: Trying to conntact with security@conceptronic.net y vulnerabilities@conceptronic.net but they are non existent addresses. - 03/01/2014: Involve Inteco CERT in the notification proccess. - 08/01/2014: Inteco confirms that there is still no response from Conceptronic. None of the comunication atempts with the vendor received a response, so I'm publishing the advisory to warn users and confirm the vulnerability with you. **Vulnerabilitty details** The CSRF is present in the CGI formulary used to create and modify users of the web interface of the camera (/set_users.cgi). This CSRF would allow a malicious attacker to create users in the camera web interface (including administrator users) if he is able to lure the legitimate administrator of the camera to visit a web controlled by the attacker. An example of the process to exploit this vulnerability: 1- A webcam administrator is already logged in the camera web interface. 2- A malicious user knows it and send a link to this administrator pointing to a web controlled by this attacker (http://example.com/conceptronic_csrf.html). In this web, the attacker placed an image with the following code: <img alt="csrf image" src="http://<victim_camera_server>/set_users.cgi?next_url=rebootme.htm&user1=attacker&pwd1=attacker&pri1=2&user2=&pwd2=&pri2=0&user3=&pwd3=&pri3=0&user4=&pwd4=&pri4=0&user5=&pwd5=&pri5=0&user6=&pwd6=&pri6=0&user7=&pwd7=&pri7=0&user8=&pwd8=&pri8=0"> 3- The webcam administrator visit the link. 4- The page http://example.com/test_csrf.html tries to load the image by making a GET request to the pointed URL, thus, making the legitimate administrator to create a new user identified by "attacker" and password "attacker". A video was uploaded to youtube showing this behaviour: https://www.youtube.com/watch?v=URXEe_VRc74 This issue can be fixed by adding an additional step to the user creation CGI, either requesting the administrator password again before creating/modifying any user or creating a hidden random token for each form (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet) -- Felipe Molina de la Torre # 0day.today [2024-07-03] #