Ubiquiti Networks: CSRF: Replacing the router configuration backup having an 'operator' user and bypassing the "Referer:' whitelist protection

2017-06-15T06:17:58
ID H1:240098
Type hackerone
Reporter hacknroll
Modified 2017-11-24T11:28:25

Description

EdgeOS version 1.9.1 and prior, the researcher was able to bypass the CSRF protection. An attacker with access to an operator (read-only) account, can lure an admin (root) user to access the attacker controlled page, doing so will allow the attacker to gain admin privileges in the system.