Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Simple CSRF for Cisco Wireless LAN Controller
Posted by: h3xstream
Date: April 26, 2010 05:28PM

Here's a simple csrf that will disconnect users using Cisco Wireless LAN Controller http://www.cisco.com/en/US/docs/wireless/controller/5.1/configuration/guide/c51users.html#wpmkr1056080.
For the background: This system is a web login use mostly on unencrypted wireless access point.

<img src="https://1.1.1.1/logout.html?userStatus=1&err_flag=0&err_msg="/>

-No referrer validation
-No Method validation (the form is suppose to be POST)
-No token / captcha

The original form : http://slexy.org/view/s20YhD795p



Edited 3 time(s). Last edit at 04/27/2010 12:31PM by h3xstream.

Options: ReplyQuote
Re: Simple CSRF for Cisco Wireless LAN Controller
Posted by: Skyphire
Date: April 27, 2010 08:06AM

Nice. Can you sniff that particular lan controller? like an image, or stylesheet?

Options: ReplyQuote
Re: Simple CSRF for Cisco Wireless LAN Controller
Posted by: h3xstream
Date: April 27, 2010 12:45PM

Sniffing? the login page is using ssl.

Image and stylesheet ? If you mean being able to detect that a visitor is using this service, logout.html should do the trick without disconnecting users.

<img src="https://1.1.1.1/logout.html" onerror="alert('nothing special')" onload="alert('Hi Cisco user!')"/>

Options: ReplyQuote
Re: Simple CSRF for Cisco Wireless LAN Controller
Posted by: Skyphire
Date: April 27, 2010 05:53PM

That's what I meant; sniffing the particular router/service. Usually routers have images which you can check fast, like spacers.gif or bg.gif, faster than html pages if you're scanning a whole list of routers.

Options: ReplyQuote


Sorry, only registered users may post in this forum.