InfraPower PPS-02-S Q213V1 – Insecure Direct Object Reference

• Exploit Database
• 17 阅读

• 作者： LiquidWorm
  日期： 2016-10-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40644/

• InfraPower PPS-02-S Q213V1 Insecure Direct Object Reference Authorization Bypass
  
  
  Vendor: Austin Hughes Electronics Ltd.
  Product web page: http://www.austin-hughes.com
  Affected version: Q213V1 (Firmware: V2395S)
  Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
  
  Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
  IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
  Patented IP Dongle provides IP remote access to the PDUs by a true
  network IP address chain. Only 1xIP dongle allows access to max. 16
  PDUs in daisy chain - which is a highly efficient cient application
  for saving not only the IP remote accessories cost, but also the true
  IP addresses required on the PDU management.
  
  Desc: Insecure Direct Object References occur when an application
  provides direct access to objects based on user-supplied input. As
  a result of this vulnerability attackers can bypass authorization
  and access resources and functionalities in the system directly, for
  example APIs, files, upload utilities, device settings, etc.
  
  Tested on: Linux 2.6.28 (armv5tel)
   lighttpd/1.4.30-devel-1321
   PHP/5.3.9
   SQLite/3.7.10
  
  
  Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
   @zeroscience
  
  
  Advisory ID: ZSL-2016-5373
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5373.php
  
  
  27.09.2016
  
  --
  
  
  GET /ConnPort.php
  GET /CSSSource.php
  GET /dball.php
  GET /doupgrate.php
  GET /IPSettings.php
  GET /ListFile.php
  GET /Menu.php
  GET /Ntp.php
  GET /PDUDetails_Ajax_Details.php
  GET /PDULog.php
  GET /PortSettings.php
  GET /production_test1.php ("backdoor")
  GET /UploadEXE.php