Aquatronica Controller System Information Disclosure Vulnerability

An information disclosure vulnerability exists in Aquatronica Controller System firmware versions through 5.1.6 and web interface versions through 2.0. The tcp.php endpoint is not properly secured, allowing remote attackers to send crafted POST requests and access sensitive configuration data, including plaintext administrative passwords. This vulnerability could lead to a complete compromise of the system, allowing unauthorized manipulation of connected devices and aquarium settings.

Impact

Exploitation of this vulnerability can result in unauthorized access to administrative credentials, allowing attackers to gain full control over the Aquatronica Controller System and its connected devices.

Reproduction

The vulnerability can be reproduced by sending a POST request to the tcp.php endpoint without authentication. The request must include a 'function_id' parameter set to 'TCP_XML_REQUEST' and a 'command' parameter set to 'ws_get_network_cfg'. This can be done using a script or a tool that allows for crafting HTTP requests, such as Python with the Requests library.