PT-2009-2608 · Eye Fi · Eye-Fi
Publicado
2009-09-01
·
Atualizado
2018-10-11
·
CVE-2008-7139
CVSS v2.0
6.8
Média
| Vetor | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Eye-Fi version 1.1.2
Description
The issue allows remote attackers to hijack user authentication for requests that modify configuration. This can be achieved via a SOAPAction parameter of various endpoints, including (1)
urn:SetOptions for autostart, (2) urn:SetDesktopSync for file upload, (3) urn:SetFolderConfig for file download location or modification of authentication credentials, and (4) urn:AddNetwork for adding an arbitrary Service Set Identifier (SSID) to hijack image upload.Recommendations
For Eye-Fi version 1.1.2, consider disabling the SOAPAction parameters
urn:SetOptions, urn:SetDesktopSync, urn:SetFolderConfig, and urn:AddNetwork to minimize the risk of exploitation until a patch is available. Restrict access to these endpoints to prevent unauthorized configuration modifications.Exploit
Correção
CSRF
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Eye-Fi