Technostrobe HI-LED-WR120-G2 Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in the Technostrobe HI-LED-WR120-G2 obstruction lighting controller, specifically in version 5.5.0.1R6.03.30. This vulnerability allows remote attackers to manipulate an unknown function, leading to unauthorized actions being performed on behalf of the user.

Impact

Exploitation of this vulnerability allows for account takeover and unauthorized changes to the device's configuration, such as admin password changes.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/LoginCB' endpoint without any authentication. This request must include the 'updatePassword', 'userId', and 'newPassword' fields. The absence of CSRF protections allows this request to be forged easily, taking advantage of the victim's browser session.

Remediation

To address this vulnerability, Technostrobe should implement CSRF protection by adding a CSRF token to the password change form, set the SameSite attribute on cookies to prevent cross-origin requests, validate the Origin header server-side, and require users to confirm their current password before making changes.