InfraPower PPS-02-S Q213V1 Insecure Direct Object Reference Authorization Bypass

vendor:

InfraPower Manager PPS-02-S

by:

Gjoko 'LiquidWorm' Krstic

8,8

CVSS

HIGH

Insecure Direct Object Reference Authorization Bypass

639

CWE

Product Name: InfraPower Manager PPS-02-S

Affected Version From: Q213V1 (Firmware: V2395S)

Affected Version To: Q216V3 (Firmware: IPD-02-FW-v03)

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux 2.6.28 (armv5tel), lighttpd/1.4.30-devel-1321, PHP/5.3.9, SQLite/3.7.10

2016

InfraPower PPS-02-S Q213V1 Insecure Direct Object Reference Authorization Bypass

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources and functionalities in the system directly, for example APIs, files, upload utilities, device settings, etc.

Mitigation:

Ensure that user-supplied input is not used to directly access objects in the system.

Source

Exploit-DB raw data:

InfraPower PPS-02-S Q213V1 Insecure Direct Object Reference Authorization Bypass


Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)

Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.

Desc: Insecure Direct Object References occur when an application
provides direct access to objects based on user-supplied input. As
a result of this vulnerability attackers can bypass authorization
and access resources and functionalities in the system directly, for
example APIs, files, upload utilities, device settings, etc.

Tested on: Linux 2.6.28 (armv5tel)
           lighttpd/1.4.30-devel-1321
           PHP/5.3.9
           SQLite/3.7.10


Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
                           @zeroscience


Advisory ID: ZSL-2016-5373
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5373.php


27.09.2016

--


GET /ConnPort.php
GET /CSSSource.php
GET /dball.php
GET /doupgrate.php
GET /IPSettings.php
GET /ListFile.php
GET /Menu.php
GET /Ntp.php
GET /PDUDetails_Ajax_Details.php
GET /PDULog.php
GET /PortSettings.php
GET /production_test1.php ("backdoor")
GET /UploadEXE.php