Details of VAR-201304-0570

ID

VAR-201304-0570

TITLE

Foscam Cross-Site Request Forgery Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2013-02879

DESCRIPTION

Foscam is a webcam video recording device. Foscam has a cross-site request forgery vulnerability that allows an attacker to execute arbitrary commands on an affected browser. Embedded Web interface version 2.4.10.3 and older of Foscam FI8910W, FI8908W and many others is vulnerable to CSRF attacks. This allows attacker to perform calls to any CGI API using cached basic server authentication data stored in victims browser. Details: For example, the following URL requested by victims browser would wipe all user records and add 'csrf' user with administrator privileges: http://cameraurl/set_users.cgi?user1=&pwd1=&pri1=2&user2=&pwd2=&pri2=&user3=&pwd3=&pri3=&user4=&pwd4=&pri4=&user5=&pwd5=&pri5=&user6=&pwd6=&pri6=&user7=&pwd7=&pri7=&user8=csrf&pwd8=csrf&pri8=2&next_url= The CGI API manual for mentioned cameras is available at http://www.foscam.es/descarga/ipcam_cgi_sdk.pdf

Trust: 0.63

sources: CNVD: CNVD-2013-02879 // PACKETSTORM: 121177

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2013-02879

AFFECTED PRODUCTS

vendor:	foscam	model:	fi8910w	scope:	-	version:	-	Trust: 0.6
vendor:	foscam	model:	fi8908w	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2013-02879

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD:	CNVD-2013-02879
value:	LOW
Trust: 0.6

CNVD:	CNVD-2013-02879
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2013-02879

TYPE

csrf

Trust: 0.1

sources: PACKETSTORM: 121177

EXTERNAL IDS

db:	PACKETSTORM	id:	121177	Trust: 0.7
db:	CNVD	id:	CNVD-2013-02879	Trust: 0.6

sources: CNVD: CNVD-2013-02879 // PACKETSTORM: 121177

REFERENCES

url:	http://packetstormsecurity.com/files/121177/foscam-cross-site-request-forgery.html	Trust: 0.6
url:	http://www.foscam.es/descarga/ipcam_cgi_sdk.pdf	Trust: 0.1
url:	http://cameraurl/set_users.cgi?user1=&pwd1=&pri1=2&user2=&pwd2=&pri2=&user3=&pwd3=&pri3=&user4=&pwd4=&pri4=&user5=&pwd5=&pri5=&user6=&pwd6=&pri6=&user7=&pwd7=&pri7=&user8=csrf&pwd8=csrf&pri8=2&next_url=	Trust: 0.1

sources: CNVD: CNVD-2013-02879 // PACKETSTORM: 121177

CREDITS

shekyan

Trust: 0.1

sources: PACKETSTORM: 121177

SOURCES

db:	CNVD	id:	CNVD-2013-02879
db:	PACKETSTORM	id:	121177

LAST UPDATE DATE

2022-05-17T01:57:50.830000+00:00

SOURCES UPDATE DATE

db:

CNVD

id:

CNVD-2013-02879

date:

2013-05-22T00:00:00

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2013-02879	date:	2013-04-10T00:00:00
db:	PACKETSTORM	id:	121177	date:	2013-04-09T03:54:49