exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

VMU-C CSRF / XSS / Access Control

VMU-C CSRF / XSS / Access Control
Posted Apr 6, 2017
Authored by Karn Ganeshen

The VMU-C webserver suffers from cross site request forgery, cross site scripting, access control, weak credential management, and insecure storage vulnerabilities. VMU-C EM prior to firmware Version A11_U05 and VMU-C PV prior to firmware Version A17 are affected.

tags | advisory, vulnerability, xss, info disclosure, csrf
advisories | CVE-2017-5144, CVE-2017-5145, CVE-2017-5146
SHA-256 | 1582c6722bcf37eb3cd5c16f529748ff9d4b17c5c7e4c15f8293942e38016191

VMU-C CSRF / XSS / Access Control

Change Mirror Download
*VMU-C Web-Server solution for photovoltaic applications*

VMU-C EM is a data logger system for small to medium projects, VMUC-Y EM is
a hardware data aggregator for medium to larger projects and Em2 Server is
a software solution for large projects. They are designed to complement the
extensive line of Carlo Gavazzi energy meters and current transformers.

*ICS-CERT advisory*
https://ics-cert.us-cert.gov/advisories/ICSA-17-012-03

*CVE-IDs*
CVE-2017-5144
CVE-2017-5145
CVE-2017-5146

*Vulnerable versions*

- VMU-C EM prior to firmware Version A11_U05, and
- VMU-C PV prior to firmware Version A17


*1. Weak Credentials Management*
-> admin/admin
-> Application does not enforce mandatory password change

*2. Sensitive Information stored in clear-text*
Accounts menu option
a shows username and password
a passwords shown in clear-text
a SMTP server password
a user and service passwords are stored in clear-text

*3. Access Control flaws*

1. Access control is not enforced correctly
2. Certain application functions can be accessed without any
authentication
3. Application stores the Energy / Plant data in a sqlite database -
EWPlant.db. Anyone can dump plant database file - without any authentication

*4. Reflected + Stored XSS - multiple URLs, parameters - *Not documented in
ICS-CERT Advisory

Successful exploitation of this vulnerability could allow an
unauthenticated attacker to inject arbitrary JavaScript in a specially
crafted URL request where the response containing user data is returned to
the web browser without being made safe to display.

*5. Vulnerable to Cross-Site Request Forgery*

There is no CSRF Token generated per page and / or per (sensitive)
function. Successful exploitation of this vulnerability can allow silent
execution of unauthorized actions on the device such as configuration
parameter changes, and saving modified configuration.

+++++


Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close