Conceptronic Wireless Pan & Tilt Network Camera - Cross-Site Request Forgery







**General Details**

Affected Product: Conceptronic camera CIPCAMPTIWL
Tested Firmware:
Tested Web UI Firmware:
Assigned CVE: CVE-2013-7204
CVSSv2 Base Score: 5.8 (AV:N/AC:M/AU:N/C:P/I:P/A:N)
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
Solution Status: Not Fixed
Vendor Notification Timeline:
    - 23/12/2013: Contacting with technical support through their web
    - 23/12/2013: Contacting with general information email addres
( to inform about the vulnerability and request
suitable security or technical contact to send the complete details of
the CSRF.
    - 25/12/2013: Contacting with public twitter accounts
@conceptronic and @conceptronic_es to request suitable security or
technical contact to send the complete details of the CSRF.
    - 28/12/2013: Recontacting the technical support.
    - 28/12/2013: Recontacting general information address
    - 02/01/2014: Trying to conntact with y but they are non existent addresses.
    - 03/01/2014: Involve Inteco CERT in the notification proccess.
    - 08/01/2014: Inteco confirms that there is still no response from

None of the comunication atempts with the vendor received a response,
so I'm publishing the advisory to warn users and confirm the
vulnerability with you.

**Vulnerabilitty details**

The CSRF is present in the CGI formulary used to create and modify
users of the web interface of the camera (/set_users.cgi). This CSRF
would allow a malicious attacker to create users in the camera web
interface (including administrator users) if he is able to lure the
legitimate administrator of the camera to visit a web controlled by
the attacker.

An example of the process to exploit this vulnerability:

1- A webcam administrator is already logged in the camera web interface.

2- A malicious user knows it and send a link to this administrator
pointing to a web controlled by this attacker
( In this web, the attacker
placed an image with the following code:

  <img alt="csrf image"

3- The webcam administrator visit the link.

4- The page tries to load the image
by making a GET request to the pointed URL, thus, making the
legitimate administrator to create a new user identified by "attacker"
and password "attacker".

A video was uploaded to youtube showing this behaviour:

This issue can be fixed by adding an additional step to the user
creation CGI, either requesting the administrator password again
before creating/modifying any user or creating a hidden random token
for each form (

Felipe Molina de la Torre