Conceptronic Wireless Pan & Tilt Network Camera - CSRF Vulnerability
|| CVE: 2013-7204
|Author: Felipe Molina
||Vulnerable App: N/A
Affected Product: Conceptronic camera CIPCAMPTIWL
Tested Firmware: 220.127.116.11
Tested Web UI Firmware: 0.61.4.18
Assigned CVE: CVE-2013-7204
CVSSv2 Base Score: 5.8 (AV:N/AC:M/AU:N/C:P/I:P/A:N)
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
Solution Status: Not Fixed
Vendor Notification Timeline:
- 23/12/2013: Contacting with technical support through their web
- 23/12/2013: Contacting with general information email addres
(email@example.com) to inform about the vulnerability and request
suitable security or technical contact to send the complete details of
- 25/12/2013: Contacting with public twitter accounts
@conceptronic and @conceptronic_es to request suitable security or
technical contact to send the complete details of the CSRF.
- 28/12/2013: Recontacting the technical support.
- 28/12/2013: Recontacting general information address
- 02/01/2014: Trying to conntact with firstname.lastname@example.org y
email@example.com but they are non existent addresses.
- 03/01/2014: Involve Inteco CERT in the notification proccess.
- 08/01/2014: Inteco confirms that there is still no response from
None of the comunication atempts with the vendor received a response,
so I'm publishing the advisory to warn users and confirm the
vulnerability with you.
The CSRF is present in the CGI formulary used to create and modify
users of the web interface of the camera (/set_users.cgi). This CSRF
would allow a malicious attacker to create users in the camera web
interface (including administrator users) if he is able to lure the
legitimate administrator of the camera to visit a web controlled by
An example of the process to exploit this vulnerability:
1- A webcam administrator is already logged in the camera web interface.
2- A malicious user knows it and send a link to this administrator
pointing to a web controlled by this attacker
(http://example.com/conceptronic_csrf.html). In this web, the attacker
placed an image with the following code:
<img alt="csrf image"
3- The webcam administrator visit the link.
4- The page http://example.com/test_csrf.html tries to load the image
by making a GET request to the pointed URL, thus, making the
legitimate administrator to create a new user identified by "attacker"
and password "attacker".
A video was uploaded to youtube showing this behaviour:
This issue can be fixed by adding an additional step to the user
creation CGI, either requesting the administrator password again
before creating/modifying any user or creating a hidden random token
for each form (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)
Felipe Molina de la Torre